Azure Front-Door: Backend Pool SSL Validation with Hostname or HostHeader

Amit-J 316

Hi,

In the backendpool of azure front-door, if I use Custom Host as a backend.
And backend hostname = https://abc.hostname.com
and backend hostheader = https://xyz.hostheader.com

Then, SSL Validation will happen with backendhostname or backend hostheader ?
Do I need to add both backendhostname and backendhostheadr as SAN in my SSL certificate ?

I am using App gateway (Multisite) as the backend here.

this link is not giving clear explanation- https://learn.microsoft.com/en-us/azure/frontdoor/end-to-end-tls#backend-tls-connection-azure-front-door-to-backend

Please guide

ChaitanyaNaykodi-MSFT 23,256 Reputation points Microsoft Employee

2022-11-15T01:28:40.087+00:00

@Amit-J ,

Thank you for reaching out.

Based on your questions above.

Then, SSL Validation will happen with backendhostname or backend hostheader ?

The validation will happen with backend hostname.

Do I need to add both backendhostname and backendhostheadr as SAN in my SSL certificate ?

You need to include backendhostname as SAN in your SSL certificate. Given that you have enabled the EnforceCertificateNameCheck option for your Azure Front Door. You can find more information here.

I am using App gateway (Multisite) as the backend here.

I looked at similar issues internally, since you will be validating the SSL certificate against the Application Gateway, I think the backend hostname should be App Gateway's FQDN.

Can you try this out and let me know if you are facing any issue?
Amit-J 316 Reputation points

2022-11-15T05:55:32.787+00:00

Hi,

Hi,

I verified the settings with an existing setup.

We are not using custom domain for App Gateway.
FQDN is an A record which resolves to App Gateway public ip.

And the Backend host header field is kept empty so that the original front door request host header is passed to app gateway.

Enforce Certifcate Name check is enabled but the information symbol next to "Certificate Subject Name Validation" displays this text - "Validate the request's host header matches the hostname in the certificate provided by the backend instance. This setting only applies for HTTPS requests."

I think this text means that - since I have the kept the backend host header empty, so the incoming request host header(front door) will be matched against the certificate SAN of app gateway.
That is why my frontdoor is working without any issue. But you said, app gateways FQDN should be mentioned in the SAN, but it is not mentioned in the certificate SAN.
Then, how come it is working..

I hope I am able to clarify my concerns.

please guide.
ChaitanyaNaykodi-MSFT 23,256 Reputation points Microsoft Employee

2022-11-16T15:35:32.98+00:00

@Amit-J ,
Thank you for providing additional details here, I am checking more on this internally and will keep you posted. Thank you!
ChaitanyaNaykodi-MSFT 23,256 Reputation points Microsoft Employee

2022-11-17T20:54:31.983+00:00

Hello @Amit-J ,

Thank you for your patience here.

Based on your response above.

but the information symbol next to "Certificate Subject Name Validation" displays this text - "Validate the request's host header matches the hostname in the certificate provided by the backend instance. This setting only applies for HTTPS requests."

I could not locate the text above. Can you please share any screenshot for where saw the information above? Thank you! For me the following information was shown

As mentioned above you do not have the FQDN of Application Gateway mentioned in your SAN, can you also confirm if that there is no wildcard host name like *.hostname.com in the SAN?
Thank you!
Anisio Moreira 1 Reputation point

2023-02-15T15:13:44.56+00:00

Hi, @ChaitanyaNaykodi-MSFT

If validation is done by hostname and not by hostheader, what is the function of the hostheader?

I have an application on my on-premisse server where access is done without AzureFD by the url https://web.customer.com.br and I need to put AzureFD to protect it. My idea is to set up a source in AzureFD by pointing the hostname to web-afd.customer.com.br and the hostheader as web.customer.com.br, then in public DNS it would direct the web.customer.com.br record to AzureFD. This way I don't need to interact with the application.

Was this solution supposed to work?

1 answer

Anisio Moreira 1 Reputation point

2023-02-15T14:56:41.86+00:00

Hi, @ChaitanyaNaykodi-MSFT

If validation is done by hostname and not by hostheader, what is the function of the hostheader?

I have an application in production today where access is done without AzureFD by the url https://web.customer.com.br and I need to put AzureFD to protect it. My idea is to set up a Origin in AzureFD by pointing the hostname to web-afd.customer.com.br and the hostheader as web.customer.com.br, then in public DNS it would direct the web.customer.com.br record to AzureFD. This way I don't need to interact with the application.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment