How to enable TLS 1.3 on Azure CDN?

Mohsen Akhavan 766 Reputation points
2023-05-21T14:27:21.36+00:00

I created Azure CDN classic and defined a custom origin. The origin is my WordPress website (outside of Azure).

Currently, my website is open at https://mywebsite.azureedge.net and also https://mywebsite.com.

The first question is whether I should create a CNAME record like the below that my website traffic redirects to Azure CDN. Is it right?

User's image

The second question is, how can I enable TLS 1.3 on Azure CDN?

With https://www.cdn77.com/tls-test I tested TLS on both URLs. User's image

The result of my website:
User's image

The scenario is, I hosted my website on sharing host that it's not possible to disable TLS 1.1 and 1.0. To fix this issue I should change my hosting plan to VPS.
I want to move my website, behind Azure CDN to fix TLS versioning.

Azure Content Delivery Network
{count} votes

2 answers

Sort by: Most helpful
  1. TP 83,221 Reputation points
    2023-05-21T15:46:17.02+00:00

    Hi,

    Currently TLS 1.3 is not supported. Please see Supported TLS versions in below article:

    https://learn.microsoft.com/en-us/azure/cdn/cdn-features

    Please click Accept Answer if the above was helpful.

    Thanks.

    -TP


  2. GitaraniSharma-MSFT 49,356 Reputation points Microsoft Employee
    2023-05-29T11:55:14.0966667+00:00

    Hello @Mohsen Akhavan ,

    Apologies for the delay in response.

    I understand that you created Azure CDN classic and defined a custom origin and have a few questions regarding CNAME mapping and TLS version support, which I've answered below:

    Whether I should create a CNAME record like the below that my website traffic redirects to Azure CDN?

    Yes, you need to create a CNAME with the below entry:

    User's image

    • Source: Enter your custom domain name. For example: www.contoso.com
    • Type: Enter or select CNAME.
    • Destination: Enter your CDN endpoint hostname in the following format: <endpoint-name>.azureedge.net. For example: contoso.azureedge.net

    Refer: https://learn.microsoft.com/en-us/azure/cdn/cdn-map-content-to-custom-domain?tabs=dns-provider%2Cazure-portal%2Cazure-portal-cleanup#map-the-permanent-custom-domain

    After that follow the steps in the above document to add the custom domain to your CDN endpoint.

    How can I enable TLS 1.3 on Azure CDN?

    Currently TLS 1.3 is not supported. Azure CDN Standard from Microsoft supports TLS 1.2, TLS 1.0/1.1.

    Refer: https://learn.microsoft.com/en-us/azure/cdn/cdn-features

    https://learn.microsoft.com/en-us/rest/api/cdn/custom-domains/enable-custom-https?tabs=HTTP#usermanagedhttpsparameters

    For www.mydomain.com I made a CNAME record pointing to my endpoint in Azure CDN. How can I point mydomain.com to the endpoint? If I created an A record, I need an IP. Also, it's not possible to create another CNAME record for mydomain.com FQDN.

    This scenario is mentioned in the below document: https://learn.microsoft.com/en-us/azure/cdn/onboard-apex-domain?toc=%2Fazure%2Ffrontdoor%2FTOC.json

    Azure CDN uses CNAME records to validate domain ownership for onboarding of custom domains. CDN doesn't expose the frontend IP address associated with your CDN profile. You can't map your apex domain to an IP address if your intent is to onboard it to Azure CDN.

    The DNS protocol prevents the assignment of CNAME records at the zone apex. For example, if your domain is contoso.com; you can create CNAME records for somelabel.contoso.com; but you can't create a CNAME for contoso.com itself.

    This problem can be resolved by using alias records in Azure DNS. Unlike CNAME records, alias records are created at the zone apex.

    Mapping your apex or root domain to your CDN profile requires CNAME flattening or DNS chasing. A mechanism where the DNS provider recursively resolves the CNAME entry until it hits an IP address. This functionality is supported with Azure DNS for CDN endpoints.

    There are other DNS providers as well that support CNAME flattening or DNS chasing, however, Azure CDN recommends using Azure DNS for its customers for hosting their domains.

    Now, if your DNS provider supports CNAME flattening or DNS chasing, you should be able to add an alias record or enable CNAME flattening for the root domain.

    So, you need to contact your DNS provider and check if they support CNAME flattening or if there is any way to achieve this on their end. If it is not supported with your DNS provider, then maybe you could delegate your domain to Azure DNS and manage your DNS records in Azure DNS and here you will be able to create an Alias record which will help you onboard your apex domain to Azure CDN.

    Please refer: https://learn.microsoft.com/en-us/azure/dns/dns-domain-delegation

    https://learn.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.