Beware the non-obvious costs of Azure Front Door
TL;DR: Azure Front Door’s Health Probes can cost you quite a bit.
Recently I built a nice little Azure Functions App that helped us do user acceptance tests at the time of a Pull Request. Then I went on a holiday to relax by multiple pools for a few weeks.
When I got back however, I see my Azure spend had significantly increased, and investigations showed it was around this Function App. It was sending out over 30GB of data per day, every day, for a few weeks.
At high use, I would expect this service to send out no more than a few MB per day, but this data output didn’t even drop on weekends.
Application Insights was showing what I was expecting to see, only a small amount or requests and returning only a small packet of data to the caller.
Turning off the Function was the only way I could stop the data flowing out. Even disabling each function individually did nothing to stop the output of data.
What I had forgotten about (was more focused on pools and the swim-up bars) was I took the opportunity to have a look at Azure Front Door and see what it is capable of. I can see some real advantages in terms of speed and also hiding many services behind a single URL thanks to URL-based Routing, and set one up to point at this small service.
One thing Front Door utilises is Health Probes, which will essentially check if the backends you set up are responsive and will route to the fastest backend for the caller.
What you see in the image above is the default set-up for a health probe when adding a backend to front door. This will hit the root path for a site every 30 seconds. Not too bad.
What you aren’t told here is that Front Door uses Anycast Protocol with multiple Points of Presence (PoP), and each PoP will send out a health probe every 30 seconds.
I am not sure how many PoPs Azure has, but my calculations put it to around 220,000 requests a day, and when probing every 30 seconds, that equates to somewhere near 80 probes worldwide.
Now my little internal Function App had one queue trigger, one API call, and no homepage; that means the default homepage was visible when calling the root of my site.
Just for your knowledge, this returns 150KB of data; and when called over two hundred thousand times a day, that starts to add up.
I would like to note that I had only a single backend set up, so this number multiplies for each backend added to Front Door.
So what can you do to prevent this?
Turn off the default homepage
In the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.
Route to something that returns nothing
Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.