Best Load Balancer Option for Container Apps with Autoscaling

Question

Best Load Balancer Option for Container Apps with Autoscaling

Antonio Meireles 35

We have three Azure Container Apps, each hosting an API, and we need a load balancing and autoscaling solution to efficiently distribute traffic across them.

We would like guidance on the best Azure service for our scenario. Specifically:

Which Azure load balancing solution (e.g., Application Gateway, Front Door, API Management, Load Balancer) is best suited for balancing traffic between multiple Container Apps?
What is the recommended approach for autoscaling these Container Apps based on traffic and resource usage?
Are there any best practices or limitations we should be aware of when implementing this solution?

Ganesh Patapati 5,520 Reputation points Microsoft External Staff

2025-03-26T13:38:00.0266667+00:00
Hello Antonio Meireles

Azure Front Door is indeed the best-suited service for distributing traffic across multiple Azure Container Apps.

It offers global load balancing (i.e., routing traffic to the closest healthy instance of your Container Apps).

It works at Layer 7 (HTTP/HTTPS) which is ideal for APIs and web applications.

It integrates well with Web Application Firewall (WAF) and offers SSL termination (ensuring secure and efficient traffic).

Front Door also supports URL-based routing, which is essential for managing different API routes efficiently.

Other options like Application Gateway are better suited for internal traffic or more complex web applications, but Front Door is optimized for global, HTTP(S)-based traffic management, making it ideal for your scenario.

If your requirement is more about handling global traffic, Front Door should be the first choice. If you need more granular traffic management like WebSocket or deep application layer processing, then Application Gateway can also be considered, but Front Door still has the edge for straightforward global API traffic management.

Azure Application Gateway supports autoscaling, which can be a great solution for managing traffic to your Azure Container Apps.

Autoscaling is enabled by default in v2 SKU. You can adjust the instance limits in the Configuration tab of the Application Gateway.

Best Practices:

You can Use Azure Monitor to track performance and scaling behavior.

Test different thresholds to balance cost and performance.

You can use Managed Certificates and enable HTTPS for secure API communication.

You can use Azure Front Door to route traffic between Container Apps based on API versions or regions.

Limitations:

Application Gateway is regional, while Front Door is global.

If above is unclear and/or you are unsure about something add a comment below.

Can you please update us if the action plan provided by was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
Rohith Vinnakota 4,345 Reputation points Microsoft External Staff

2025-03-26T18:56:47.5033333+00:00

Hello Antonio Meireles

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
Antonio Meireles 35 Reputation points

2025-03-26T22:32:15.8833333+00:00

Hello,

Thank you for the detailed explanation.

At the moment, our primary concern is cost. We've noticed that the Azure Application Gateway is significantly more expensive compared to what we had previously on AWS. Since our traffic is mostly global and HTTP(S)-based — mainly for API endpoints and web applications — Azure Front Door seems to be a more appropriate and cost-effective choice for our scenario. Do you agree?

We also value its native support for global load balancing, SSL termination, WAF integration, and URL-based routing — which aligns well with how we structure our services.

Given this, we are seriously considering migrating from Application Gateway to Front Door to optimize both performance and costs.

Do you have any recommendations or best practices for making this transition smoothly, especially when using Azure Container Apps? Do you agree that we should change?

Looking forward to your feedback.

Best regards, Antonio Meireles

1 answer

Your answer

Rohith Vinnakota 4,345 Reputation points Microsoft External Staff

2025-03-26T18:56:47.5033333+00:00

Hello Antonio Meireles

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
Antonio Meireles 35 Reputation points

2025-03-26T22:32:15.8833333+00:00

Hello,

Thank you for the detailed explanation.

At the moment, our primary concern is cost. We've noticed that the Azure Application Gateway is significantly more expensive compared to what we had previously on AWS. Since our traffic is mostly global and HTTP(S)-based — mainly for API endpoints and web applications — Azure Front Door seems to be a more appropriate and cost-effective choice for our scenario. Do you agree?

We also value its native support for global load balancing, SSL termination, WAF integration, and URL-based routing — which aligns well with how we structure our services.

Given this, we are seriously considering migrating from Application Gateway to Front Door to optimize both performance and costs.

Do you have any recommendations or best practices for making this transition smoothly, especially when using Azure Container Apps? Do you agree that we should change?

Looking forward to your feedback.

Best regards, Antonio Meireles

Answer 1

Ganesh Patapati 5,520 Microsoft External Staff

@Antonio Meireles

Thanks for the reply!

I agree that Azure Front Door is an excellent choice for your scenario. It is designed specifically for globally distributed, HTTP(S)-based workloads, making it a cost-effective and high-performance alternative to Azure Application Gateway.

Here are some recommendations and best practices for making the migration smooth:

While Front Door is feature-rich, ensure all your requirements are fully supported. For example, Application Gateway may offer deeper integration for certain regional scenarios, so evaluate what your workloads specifically need.
Replicate your Application Gateway routing rules in Front Door. You can use the Azure Portal to define and test new configurations.
Start by adding Front Door alongside Application Gateway and route a small percentage of traffic to Front Door for testing. Once satisfied with performance, gradually increase traffic and cut over DNS completely.
Set up health probes for your Container Apps behind Front Door to ensure only healthy instances receive traffic.
Add your Container Apps to the Front Door back-end pool and configure session affinity, caching, and priority-based routing if required.
You can leverage Azure Container Apps autoscaling to dynamically scale based on traffic handled by Front Door. Utilize the scaling triggers provided natively (HTTP requests, CPU/memory utilization, or custom KEDA triggers).
Ensure that the minimum and maximum replica settings align with expected traffic patterns.
You can enable Web Application Firewall (WAF) with Azure Front Door for enhanced security. Fine-tune WAF rules to align with your APIs and web applications to prevent false positives.
Implement SSL termination at Front Door and enforce HTTPS for all traffic. Use Azure Key Vault to manage SSL certificates securely.
Leverage Azure Monitor and Log Analytics for traffic metrics, latency insights, and troubleshooting.
Compare billing patterns post-migration to ensure that the switch to Front Door reduces costs as expected.

With these steps, you should be able to transition smoothly while achieving cost savings and optimizing performance.

If you wish you may upvote the feedback in the below forum requesting this feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

Feedback link: https://feedback.azure.com/d365community

If above is unclear and/or you are unsure about something add a comment below.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Accepted answer

Antonio Meireles 35 Reputation points

2025-03-27T14:08:19.46+00:00

Thanks again for the detailed insights — they were really helpful.

I have one follow-up question regarding Server-Sent Events (SSE). We're currently using SSE in our application and would like to confirm whether Azure Front Door fully supports it.

Are there any known issues or limitations with using SSE behind Front Door?

Is Front Door compatible and reliable for long-lived HTTP connections like those used by SSE?

Are there any recommended best practices (e.g., timeout settings, keep-alive configurations, caching policies) we should follow to ensure stable SSE delivery through Front Door?

Thanks in advance for your help!
Ganesh Patapati 5,520 Reputation points Microsoft External Staff

2025-03-27T19:23:33.61+00:00

Hello Antonio Meireles

Thanks for the reply!

I have checked this internally and can confirm that Azure Front Door does not support SSE at this time.

You might consider alternatives like Azure API Management, which offers better support for streaming scenarios.

Refer: https://learn.microsoft.com/en-us/answers/questions/1257674/does-azure-front-door-support-sse-%28server-sent-eve?form=MG0AV3

If you wish you may upvote the feedback in the below forum requesting this feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

Feedback link: https://feedback.azure.com/d365community

If above is unclear and/or you are unsure about something add a comment below.

Please do consider to “Up-vote” and "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.
Antonio Meireles 35 Reputation points

2025-03-27T19:34:20.9766667+00:00

Thanks for the clarification!

That’s an important point — we’re currently relying on SSE for real-time updates in our platform, so Front Door not supporting SSE is a critical limitation for us.

A few follow-up questions:

Do you have any recommended architecture alternatives to support SSE at global scale with Azure? You mentioned API Management — could it be used in combination with a regional App Gateway, or are there other approaches?

Is Azure Application Gateway still the best option when SSE is required?

Would a hybrid approach (e.g., using Front Door for general traffic and routing SSE endpoints directly through App Gateway) be viable?

Appreciate your guidance — we want to ensure performance and scalability without compromising real-time capabilities.

Best regards,

Antonio
Ganesh Patapati 5,520 Reputation points Microsoft External Staff

2025-03-27T20:02:04.45+00:00
Hello Antonio Meireles

Application Gateway does not officially support SSE; however, you can try the steps provided in private messages.

Refer: https://learn.microsoft.com/en-us/answers/questions/1409780/azure-application-gateway-support-for-server-sent

If above is unclear and/or you are unsure about something add a comment below.

Please do consider to “Up-vote” and "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.
Antonio Meireles 35 Reputation points

2025-03-27T20:24:49.0933333+00:00
Thanks again for the follow-up.

Given that Azure Front Door doesn’t support SSE and Application Gateway also lacks official support (though I’ve seen some community workarounds), we’re reassessing how to maintain stable real-time communication in our setup.

Here’s a bit more context on our architecture:

We’re hosting our backend in Azure Container Apps, with autoscaling enabled.

We rely on Server-Sent Events (SSE) to push real-time updates to users.

We’re targeting global availability and low-latency delivery, which is why Azure Front Door seemed like a strong fit.

However, the lack of SSE support is now a key concern.

Could you advise on:

Any recommended approach or service combo within Azure to reliably handle SSE at scale?

Whether Azure API Management in front of Container Apps could support SSE in practice?

If a hybrid setup makes sense — for example, routing general traffic via Front Door but sending SSE traffic through a regional NGINX reverse proxy or App Gateway workaround?

Any documented success cases or patterns where SSE is running reliably on Azure?

We’re aiming to balance global performance, real-time capabilities, and scalability, so any recommendations would be very appreciated.

Best regards,

Antonio Meireles
Praveen Bandaru 2,835 Reputation points Microsoft External Staff

2025-03-28T12:43:29.9366667+00:00

Hello Antonio Meireles

Thank you for your response.

Server-Sent Events (SSE) are supported on Application Gateway V2 SKUs but present it in preview state.

Check the below document for more understanding:

https://feedback.azure.com/d365community/idea/4bbd5644-8a26-ec11-b6e6-000d3a4f0789

If above is unclear and/or you are unsure about something add a comment below.

Please do consider to “Up-vote” and "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.
Antonio Meireles 35 Reputation points

2025-03-28T12:59:17.2166667+00:00
Hi, thanks

We’ve already implemented SSE using Application Gateway V2, and while it's working, we’ve noticed the costs are relatively high, especially for handling long-lived connections. Additionally, since App Gateway is region-specific, it doesn’t fully meet our global distribution requirements.

Given that:

Azure Front Door doesn’t support SSE,

Application Gateway is expensive and not designed for global routing,

Would you recommend any alternative architecture or service pattern to support SSE in a globally available, cost-efficient, and scalable manner?

We’re open to hybrid setups or even moving to WebSocket or SignalR if there’s a compelling reason, but we want to understand the trade-offs clearly before making a decision.

Appreciate any guidance you can share.

Best regards,

Antonio Meireles
Ganesh Patapati 5,520 Reputation points Microsoft External Staff

2025-03-31T12:59:00.38+00:00

Hello Antonio Meireles

Thanks for the reply!

To understand better about your issue lets connect offline, please see private message for more details.
Ganesh Patapati 5,520 Reputation points Microsoft External Staff

2025-04-03T16:00:11.9133333+00:00

Hello Antonio Meireles

As per our conversation currently Azure Front Door doesn’t support SSE at the moment.

If you wish you may upvote the feedback in the below forum requesting this feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

Feedback link: https://feedback.azure.com/d365community

Please do consider to “Up-vote” and "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.
Antonio Meireles 35 Reputation points

2025-04-03T16:48:25.84+00:00

thanks, will do

Share via

Best Load Balancer Option for Container Apps with Autoscaling

1 answer

Your answer