Application Gateway and Azure Front Door both do Layer 7 load balancing, SSL termination, optional WAF, and HTTP routing to backend pools. So why do both exist?
They operate at fundamentally different layers. Application Gateway is a regional resource inside your VNet. Front Door is a global edge service outside it. That distinction drives every other difference.
Application Gateway: The Regional Workhorse
Application Gateway deploys into a dedicated subnet within your VNet. Because it sits inside the network, it can route to private backends with no public endpoint — your apps and APIs stay completely private.
Use it when:
- Single-region deployments with all backends in one Azure region
- Private backends with no public exposure
- Path-based routing to different services within the same VNet
- ExpressRoute or VPN traffic that needs Layer 7 routing
- Regional WAF policies tailored to your application's traffic patterns
The Standard_v2 SKU is the current standard for production workloads. The v1 SKU retires in April 2026, so if you're still running it, migration is now urgent. For non-production environments, look at the new Basic SKU (currently in preview) — it's designed for dev/test and low-traffic workloads at a lower price point.
One long-standing frustration with v2 was the mandatory public IP, even for purely internal workloads. That's finally being addressed — private-only deployment (no public IP) is now in public preview for v2, which removes a genuine security objection.
Expect roughly 200 to 500 pounds per month for a moderate-traffic production deployment on Standard_v2, including base capacity and data processing charges.
Watch the sizing. It's tempting to over-provision capacity units or enable autoscale with a high maximum — both burn money on headroom you'll never use. Right-size to your actual traffic patterns and set sensible autoscale limits.
For non-production environments, stop the Application Gateway outside business hours. A DevOps pipeline or scheduled runbook that stops the resource at 7pm and starts it at 7am, with weekends off, cuts that cost by 70% or more. Across multiple environments — dev, test, UAT, staging — that's thousands of pounds a year back in the budget.
Azure Front Door: The Global Edge
Front Door is a global Layer 7 load balancer and CDN operating from Microsoft's edge network — hundreds of points of presence worldwide. Traffic hits the nearest edge node, gets inspected, and travels across Microsoft's backbone to your origin. That origin can be anywhere: Azure, AWS, on-premises, or any publicly reachable endpoint.
Use it when:
- Multi-region deployments with active-active or active-passive failover
- Global load balancing routing users to the nearest healthy backend
- CDN and caching to reduce origin load
- Edge DDoS protection before malicious traffic reaches your Azure region
- Global WAF with bot protection across all endpoints
- Geographically dispersed users who need consistent performance
Pricing: Front Door Standard starts around 28 pounds per month base, making it surprisingly affordable for low-traffic sites. Premium is around 280 pounds per month, adding private link support and enhanced WAF. Both tiers charge per request and per gigabyte on top.
The Decision Framework
Choose Application Gateway when:
- Everything is in a single region
- Backends are private and must stay inside the VNet
- Traffic arrives via ExpressRoute or VPN
- Users are predominantly in one geographic area
Choose Front Door when:
- Backends span multiple regions
- You need global load balancing or failover
- CDN and caching would meaningfully improve performance
- You want edge DDoS mitigation before traffic reaches your network
- Users are geographically dispersed
Consider both when:
- Front Door handles global routing and edge WAF, while Application Gateway manages internal VNet routing to private backends. Legitimate pattern, but expensive — make sure you genuinely need both layers before committing.
Cost Comparison
Single-region, moderate traffic (UK users): Application Gateway is typically cheaper at 200 to 400 pounds per month. Front Door Standard's 28-pound base can climb with per-request charges. For straightforward single-region workloads, Application Gateway is simpler and usually more cost-effective.
Multi-region, global users: Front Door wins here — it includes CDN and global load balancing that you'd otherwise need separate services for. Application Gateway can't load balance across regions at all. You'd need Traffic Manager on top of multiple Application Gateways, which gets complex and expensive.
Low-traffic public website: Front Door Standard can undercut Application Gateway significantly at 28 pounds per month base plus minimal per-request charges, while also giving you a CDN and edge WAF. If you don't need VNet integration, it's worth serious consideration.
High-traffic enterprise with private backends: Often where organisations run both. Front Door at the edge for global routing and caching, Application Gateway inside the VNet for private backend routing. Budget for both services plus WAF costs on whichever layer you apply it to.
The WAF Question
Both services offer WAF, and this is where organisations frequently waste money. Application Gateway WAF is regional. Front Door WAF is global.
Most organisations only need one WAF layer. Running WAF on both Front Door and Application Gateway means paying for two sets of managed rule processing on the same traffic. Unless you have a specific regulatory requirement for defence-in-depth at both layers, pick one.
If you have Front Door, put the WAF there — it catches malicious traffic at the edge before it consumes bandwidth on your backend. If you only have Application Gateway, its WAF is perfectly adequate for regional protection.
We covered WAF policies in more detail in our WAF business value post and custom bot-blocking rules post.
Common Mistakes
Using Application Gateway for multi-region failover. It's regional. It cannot failover to another region. You need Front Door or Traffic Manager.
Deploying Front Door for a single internal application. If your app is private, in a VNet, serving users in one location — Front Door is overkill. Application Gateway does the job with less complexity.
Running WAF on both layers. Double WAF is double cost for marginal security benefit. Be deliberate about where you inspect traffic.
Forgetting data processing charges. Both services charge for data flowing through them. The base price is only part of the picture. Model your expected traffic volumes before deciding.
Not locking down the origin. If Front Door sits in front of your backend, make sure the backend only accepts traffic from Front Door. Otherwise attackers bypass your edge WAF entirely by hitting the backend directly.
Which One, Then?
For most single-region Azure deployments serving a UK or European audience, Application Gateway is the right choice. It integrates with your VNet, handles private backends, and does path-based routing well.
For anything global, multi-region, or public-facing with performance requirements, Front Door is the better fit. The CDN alone can justify the cost.
If your architecture genuinely needs both, that's a valid pattern. Just don't duplicate WAF costs unnecessarily and make sure the additional complexity is earning its keep.
Not sure which service fits your architecture? Get in touch and we'll review your networking setup.