Azure Traffic Manager
What Is Azure Traffic Manager?
Azure Traffic Manager is a DNS-based traffic load balancer that distributes traffic across global Azure regions or external endpoints. It works at the DNS layer (Layer 7 — DNS resolution), directing clients to the most appropriate endpoint based on a configurable routing method.
Official Documentation: Azure Traffic Manager overview
How Traffic Manager Works
Client DNS Query
↓
Traffic Manager (DNS)
↓ Returns endpoint IP
↓ based on routing method
↓
┌─────────────────────────────────────┐
│ Endpoint A Endpoint B Endpoint C │
│ (UK South) (West Europe) (East US) │
└─────────────────────────────────────┘
↑
Client connects directly to chosen endpoint
(Traffic Manager is NOT in the data path)
Key point: Traffic Manager only participates in DNS resolution. Once the client receives the endpoint IP, all subsequent traffic flows directly to that endpoint — Traffic Manager never sees the actual request or response data.
Routing Methods
| Method | Description | Use Case |
|---|---|---|
| Priority | Active/passive failover — routes to the highest-priority healthy endpoint | Disaster recovery with a primary and standby region |
| Weighted | Distributes traffic by assigned weight ratios | Canary deployments, gradual migration between regions |
| Performance | Routes to the endpoint with the lowest network latency for the client | Multi-region apps where user proximity matters |
| Geographic | Routes based on the geographic origin of the DNS query | Data sovereignty, localised content |
| MultiValue | Returns multiple healthy endpoints in a single DNS response | Client-side load balancing with redundancy |
| Subnet | Maps specific client IP ranges to specific endpoints | Enterprise routing, compliance requirements |
Priority Routing Example
resource trafficManager 'Microsoft.Network/trafficManagerProfiles@2022-04-01' = {
name: 'tm-integration-prod'
location: 'global'
properties: {
profileStatus: 'Enabled'
trafficRoutingMethod: 'Priority'
dnsConfig: {
relativeName: 'tm-integration-prod'
ttl: 60
}
monitorConfig: {
protocol: 'HTTPS'
port: 443
path: '/health'
intervalInSeconds: 30
toleratedNumberOfFailures: 3
timeoutInSeconds: 10
}
endpoints: [
{
name: 'primary-uksouth'
type: 'Microsoft.Network/trafficManagerProfiles/azureEndpoints'
properties: {
targetResourceId: appServicePrimary.id
endpointStatus: 'Enabled'
priority: 1
}
}
{
name: 'secondary-westeurope'
type: 'Microsoft.Network/trafficManagerProfiles/azureEndpoints'
properties: {
targetResourceId: appServiceSecondary.id
endpointStatus: 'Enabled'
priority: 2
}
}
]
}
}
Weighted Routing Example
resource trafficManager 'Microsoft.Network/trafficManagerProfiles@2022-04-01' = {
name: 'tm-api-canary'
location: 'global'
properties: {
trafficRoutingMethod: 'Weighted'
dnsConfig: {
relativeName: 'tm-api-canary'
ttl: 30
}
monitorConfig: {
protocol: 'HTTPS'
port: 443
path: '/health'
intervalInSeconds: 30
toleratedNumberOfFailures: 2
timeoutInSeconds: 10
}
endpoints: [
{
name: 'stable'
type: 'Microsoft.Network/trafficManagerProfiles/azureEndpoints'
properties: {
targetResourceId: appServiceStable.id
weight: 90
}
}
{
name: 'canary'
type: 'Microsoft.Network/trafficManagerProfiles/azureEndpoints'
properties: {
targetResourceId: appServiceCanary.id
weight: 10
}
}
]
}
}
Performance Routing Example
resource trafficManager 'Microsoft.Network/trafficManagerProfiles@2022-04-01' = {
name: 'tm-global-api'
location: 'global'
properties: {
trafficRoutingMethod: 'Performance'
dnsConfig: {
relativeName: 'tm-global-api'
ttl: 60
}
monitorConfig: {
protocol: 'HTTPS'
port: 443
path: '/health'
}
endpoints: [
{
name: 'uksouth'
type: 'Microsoft.Network/trafficManagerProfiles/azureEndpoints'
properties: {
targetResourceId: appServiceUK.id
endpointLocation: 'UK South'
}
}
{
name: 'eastus'
type: 'Microsoft.Network/trafficManagerProfiles/azureEndpoints'
properties: {
targetResourceId: appServiceUS.id
endpointLocation: 'East US'
}
}
{
name: 'southeastasia'
type: 'Microsoft.Network/trafficManagerProfiles/azureEndpoints'
properties: {
targetResourceId: appServiceAsia.id
endpointLocation: 'Southeast Asia'
}
}
]
}
}
Endpoint Types
| Type | Description | Example |
|---|---|---|
| Azure | Any Azure resource with a public IP | App Service, Cloud Service, Public IP |
| External | An IP address or FQDN outside Azure | On-premises service, third-party API |
| Nested | Another Traffic Manager profile | Multi-level routing (e.g., geographic → performance) |
Nested Profiles
Combine routing methods by nesting profiles:
Geographic Profile (outer)
├── Europe → Performance Profile (inner)
│ ├── UK South (lowest latency)
│ └── West Europe (fallback)
└── North America → Performance Profile (inner)
├── East US (lowest latency)
└── West US (fallback)
resource innerProfile 'Microsoft.Network/trafficManagerProfiles@2022-04-01' = {
name: 'tm-europe-perf'
location: 'global'
properties: {
trafficRoutingMethod: 'Performance'
// ... endpoints for European regions
}
}
resource outerProfile 'Microsoft.Network/trafficManagerProfiles@2022-04-01' = {
name: 'tm-global-geo'
location: 'global'
properties: {
trafficRoutingMethod: 'Geographic'
endpoints: [
{
name: 'europe'
type: 'Microsoft.Network/trafficManagerProfiles/nestedEndpoints'
properties: {
targetResourceId: innerProfile.id
endpointLocation: 'West Europe'
minChildEndpoints: 1
geoMapping: [
'GEO-EU'
]
}
}
]
}
}
Health Probes
Traffic Manager continuously monitors endpoint health and removes unhealthy endpoints from DNS responses.
Monitor Configuration
| Setting | Description | Recommended Value |
|---|---|---|
| Protocol | HTTP, HTTPS, or TCP | HTTPS |
| Port | Port to probe | 443 |
| Path | URL path for HTTP/HTTPS probes | /health |
| Probing Interval | Time between probes (seconds) | 30 (standard), 10 (fast) |
| Timeout | Probe timeout (seconds) | 10 (standard), 5 (fast) |
| Tolerated Failures | Failures before marking unhealthy | 3 (standard), 1 (fast) |
Expected Health Check Response
Traffic Manager considers an endpoint healthy when:
- HTTP/HTTPS: Returns a
200 OKstatus within the timeout - TCP: TCP connection is established within the timeout
Custom Health Check Headers
monitorConfig: {
protocol: 'HTTPS'
port: 443
path: '/health'
customHeaders: [
{
name: 'Host'
value: 'api.example.com'
}
]
expectedStatusCodeRanges: [
{
min: 200
max: 202
}
]
}
DNS TTL
The DNS Time-to-Live (TTL) controls how long clients cache the DNS response:
| TTL Value | Failover Speed | DNS Query Load |
|---|---|---|
| 30 seconds | Very fast failover | High query volume |
| 60 seconds | Fast failover (recommended) | Moderate |
| 300 seconds | Slower failover | Low query volume |
Important: Lower TTL means faster failover but more DNS queries (and potentially higher cost).
Create via Azure CLI
# Create Traffic Manager profile
az network traffic-manager profile create \
--name tm-integration-prod \
--resource-group rg-networking-prod \
--routing-method Priority \
--unique-dns-name tm-integration-prod \
--monitor-protocol HTTPS \
--monitor-port 443 \
--monitor-path /health \
--ttl 60
# Add primary endpoint
az network traffic-manager endpoint create \
--name primary-uksouth \
--profile-name tm-integration-prod \
--resource-group rg-networking-prod \
--type azureEndpoints \
--target-resource-id /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Web/sites/app-primary \
--priority 1
# Add secondary endpoint
az network traffic-manager endpoint create \
--name secondary-westeurope \
--profile-name tm-integration-prod \
--resource-group rg-networking-prod \
--type azureEndpoints \
--target-resource-id /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Web/sites/app-secondary \
--priority 2
# Check profile status
az network traffic-manager profile show \
--name tm-integration-prod \
--resource-group rg-networking-prod \
--query '{Status:profileStatus, DNS:dnsConfig.fqdn, Routing:trafficRoutingMethod}'
Traffic Manager with APIM
Route API traffic across regions with Traffic Manager in front of APIM:
Traffic Manager (DNS)
↓
┌──────────────────────┐
│ APIM (UK South) │ ← Primary
│ APIM (West Europe) │ ← Secondary
└──────────────────────┘
Custom Domain with Traffic Manager
# Map custom domain to Traffic Manager
# 1. Create CNAME: api.example.com → tm-integration-prod.trafficmanager.net
# 2. Add custom domain to each APIM instance
az apim update \
--name apim-prod-uksouth \
--resource-group rg-apim-prod \
--set hostnameConfigurations[0].hostName=api.example.com
Diagnostic Settings
resource tmDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: 'tm-diagnostics'
scope: trafficManager
properties: {
workspaceId: logAnalyticsWorkspace.id
metrics: [
{
category: 'AllMetrics'
enabled: true
retentionPolicy: { enabled: true, days: 90 }
}
]
logs: [
{
category: 'ProbeHealthStatusEvents'
enabled: true
retentionPolicy: { enabled: true, days: 90 }
}
]
}
}
KQL Queries for Traffic Manager
// Endpoint health status changes
AzureDiagnostics
| where ResourceType == "TRAFFICMANAGERPROFILES"
| where Category == "ProbeHealthStatusEvents"
| project TimeGenerated, Resource, endpoint_s, status_s
| order by TimeGenerated desc
// Probe health over time
AzureDiagnostics
| where ResourceType == "TRAFFICMANAGERPROFILES"
| summarize
Healthy = countif(status_s == "Online"),
Degraded = countif(status_s == "Degraded"),
Unhealthy = countif(status_s == "Stopped")
by bin(TimeGenerated, 15m), endpoint_s
| render timechart
Naming Conventions
tm-{workload}-{environment}
Examples:
tm-integration-prodtm-api-platform-devtm-global-api-staging
Best Practices
- Use HTTPS health probes for security and accurate health monitoring
- Set TTL to 60 seconds as a balance between failover speed and DNS load
- Implement a
/healthendpoint that validates downstream dependencies - Use nested profiles to combine routing methods for complex scenarios
- Enable diagnostic settings to monitor probe health in Log Analytics
- Use fast probing (10-second intervals) for production-critical services
- Test failover regularly by disabling endpoints and verifying DNS updates
- Set
minChildEndpointson nested profiles to prevent routing to degraded regions - Use custom domain names with CNAME records pointing to the Traffic Manager FQDN
- Monitor DNS query volume to understand traffic patterns and costs