Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
AFD rule sets do not deploy to edge — rules attached to route never fire
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 4%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMW%3C/text%3E%3C/svg%3E)
Mark Watson
0
Reputation points
I have an Azure Front Door Standard profile where rule sets do not deploy
to the edge. Origin Path on the same route works correctly, which suggests
the issue is specific to rule set deployment rather than the profile as a
whole. I'd appreciate guidance on whether this is a known issue, what
might cause it, and whether the fix is to recreate the profile or
something else.
ENVIRONMENT
- AFD Profile: Standard tier
- One endpoint with one custom domain (validated, Active)
- One route with patterns /docs and /docs/*
- One origin group with one origin (public HTTPS origin, host header set correctly)
- Created via Azure portal (Custom create), modified via portal and
az afdCLI
SETUP THAT DOES NOT WORK
- Create a rule set
- Add a URL rewrite rule: condition
UrlPath BeginsWith /docs/, action `UrlRewrite source /docs/ destination /target-path/ preserveUnmatchedPath true` - Attach the rule set to the route
- Wait 30 minutes (and also 10+ hours separately)
- Expected: requests to /docs/foo arrive at origin as /target-path/foo
- Actual: requests arrive at origin as /docs/foo (no rewrite occurs)
The origin's "host unknown" response confirms AFD is forwarding the
unmodified path. The response includes x-azure-ref, so AFD is in the
request path; it just isn't applying the rule.
CONTROL PLANE STATE
az afd rule list ... -o yaml shows:
provisioningState: Succeeded
deploymentStatus: NotStarted
The deploymentStatus never advances beyond NotStarted, even after >10
hours of waiting with no further config changes.
az afd route show ... --query ruleSets confirms the rule set is
correctly attached at the API level.
WHAT WORKS ON THE SAME ROUTE
Setting originPath on the route to /target-path produces the correct
behaviour — requests for /docs/foo arrive at origin as /target-path/foo.
This proves the route's edge-sync is healthy. Only rule set deployment
is failing.
WHAT I'VE TRIED
- Create/delete/recreate the rule, multiple times
- Delete the entire rule set, create a new one with a different name
- Detach and re-attach the rule set to the route (portal and CLI)
- Force route redeployment via disable/enable cycle
- Force route redeployment by changing patterns-to-match
- Multiple
az afd endpoint purgecalls - Both portal and CLI for every operation, in case of UI-only sync issues
QUESTIONS
- Is "rule set deployment stuck at NotStarted while route deployment succeeds" a known issue?
- Is there a way to force-trigger rule set deployment from the customer side that I haven't tried?
- Does the
deploymentStatusfield on rules actually reflect data-plane state, or is it informational only? (If informational, what's the authoritative way to verify rule deployment short of curl-testing behaviour?) - If the profile needs to be recreated to recover rule set functionality, is that documented anywhere as a known recovery path?
For now I'm using Origin Path as a workaround, which is functional but
limits me to a single path transformation per route and doesn't support
URL redirects. The redirects in particular I'd like to do via rule sets
long-term.
Any pointers appreciated.
Azure Front Door
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 23%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Vallepu Venkateswarlu 9,165 Reputation points Microsoft External Staff Moderator2026-05-14T00:32:47.8066667+00:00 Hi @ Mark Watson,
Welcome to Microsoft Q&A Platform.
Thank you for the detailed investigation and isolation work.
Based on the behavior described, this does not appear to be a route propagation issue, since the
originPathchanges are successfully reaching the edge.The issue appears to be isolated to the rule set deployment or synchronization process.
As per MS Document, the deployment status being "NotStarted" will not affect the service. If the provisioning state is "Succeeded", the deployment status can be disregarded.
(Azure Front Door frequently asked questions (FAQ) | Microsoft Learn).
The deployment status being 'not started' will not affect the service. If the provisioning state is 'succeeded', we can disregard the deployment status.
Here’s a quick overview of the current behavior and the recommended next steps:
- The
deploymentStatusvalue is primarily a control-plane indicator. - Seeing the status as
NotStarteddoes not necessarily mean that the configuration was never propagated to the edge. In many cases, it is only an informational state.
Before recreating the profile, one additional isolation step is recommended:
- Create a brand new endpoint + route + rule set inside the same profile
- Test whether the new rule set deploys successfully
This helps determine whether the issue is:
- Isolated to a specific rule set object/route binding or
- affecting the entire profile’s rule engine deployment pipeline
The most reliable way to verify whether the URL rewrite rule is actually being triggered is to perform the following checks:
- Send a test request using
curlor a browser and verify whether the request path is being rewritten as expected. - Enable Diagnostic Settings on Azure Front Door and review the following logs:
-
RulesEngineLog-
AccessLog
-
-
These logs will help confirm whether the rewrite rule is being evaluated and executed at the edge.
Ref: URL rewrite
If the above steps did not help resolve your issue, please feel free to share the details in a private message so we can proceed with further troubleshooting over a Teams call. I am happy to connect with you on Teams to investigate and resolve the issue.
Please "upvote" if the information helped you. This will help us and others in the community as well.
- The
-
Mark Watson 0 Reputation points
2026-05-15T06:26:48.5233333+00:00 Thanks, I did test with curl and broswer and the paths were not being rewritten. I will give the diagnostics a go and see if that can highlight the issue
-
Vallepu Venkateswarlu 9,165 Reputation points Microsoft External Staff Moderator
2026-05-15T18:37:31+00:00 Hi Mark Watson,
Thanks for confirmation.
Please review the diagnostic logs to help identify the root cause of the issue.
Additionally, refer to the URL rewrite documentation to configure the rewrite rule correctly.
Sign in to comment
Sign in to answer