Take action to stop domain fronting on your application before 8 January 2024

KBadejo 75 Reputation points
2023-11-09T19:55:54.1+00:00

Hello I got this email from Microsoft,

You’re receiving this email because you’re currently using Azure Front Door or Azure CDN Standard from Microsoft (classic).

We’ve been making progressive changes to Azure Front Door and Azure CDN from Microsoft to align with our commitment to prevent domain fronting behavior. Starting from 8 January 2024, all existing Azure Front Door and Azure CDN Standard from Microsoft (classic) resources will block any HTTP request that exhibits domain fronting behavior. The block implementation will start roll out on 8 January 2024 and will take one week or two weeks for the change to roll out to all regions.

The following is a summary of the changes related to blocking domain fronting behavior on Azure Front Door and Azure CDN Standard from Microsoft (classic) in the past 18 months:

Recommended action

If your application or API uses a different TLS SNI extension than the request Host header, and these two values aren’t added as domains to Azure Front Door in the same subscription, you’ll need to update your application or API by 8 January 2024, to avoid any potential impact from this change.

If you need any further assistance, please submit a support request with your subscription details and your Front Door or Azure CDN from Microsoft resource information.

The thing is we have 3 Front Door and CDN profile, but all of them premium.

So except the above mail is informational, what should I do to avoid our services being affected come 8 January 2024? or does it resolve automatically?

Thanks

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
593 questions
{count} votes

Accepted answer
  1. ChaitanyaNaykodi-MSFT 23,341 Reputation points Microsoft Employee
    2023-12-21T07:11:54.0966667+00:00

    @KBadejo Srinivas Bhimireddy Tim Friesen Mateo Parra Simon Gebriel Mekonen Sreenath HS Ihsan Izwer

    Thank you for your patience here.

    I got an update from the product team.

    To provide you with more time and additional assistance, we have decided to postpone the enforcement date to January 22, 2024. This means you will have more time to make informed decisions on domain fronting and avoid any service disruption. We are also introducing two new log fields to help you identify if an Azure Front Door or Azure CDN from Microsoft (classic) resources display domain fronting behavior. The new log fields will be available on December 25, 2023. It may require up to two weeks for the enforcement of blocking changes to propagate on the global PoPs (point of presences) starting from January 22, 2024.

    How can I check if my Azure Front Door and Azure CDN Standard from Microsoft (classic) resources display domain fronting behavior? 

    Azure Front Door will introduce two new log fields, which will be available by the week of December 25, 2023.

    • Result- which will indicate if there is a SNI and host mismatch. When you see “SSLMismatchedSNI under the Result field, it means the request passed through successfully, but with a warning of a mismatch. Such request would be rejected by Azure Front Door after January 22, 2024, due to violating domain fronting. When you see SSLMismatchedSNI under ErrorInfo, it means the request was already blocked by domain fronting.
    • Sni - which will provide the specific SNI to compare with host from requestUri for further actions.

    Once the log fields are supported, you need to enable access log and run the following query to obtain the list of domains with SNI/host mismatch. You can adjust the query per your needs. 

    Note: To run the query for Azure CDN Standard from Microsoft (classic), please replace the first where condition with | where ResourceProvider == "MICROSOFT.CDN" and Category == "AzureCdnAccessLog". To run the query for Azure Front Door (classic), please replace the first where with | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog".

     

    AzureDiagnostics 

    //AFD standard/premium, run this to determine if any of the resources have domain fronting behavior
    | where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"

    | where result_s  == "SSLMismatchedSNI" or errorInfo_s == "SSLMismatchedSNI"

    | project TimeGenerated, clientIp_s, sni_s, requestUri_s, userAgent_s

     

    AzureDiagnostics 

    //AFD standard/premium, run this to determine if any of the resources have domain fronting behavior but not have domain fronting blocking enabled
    | where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"

    | where result_s  == "SSLMismatchedSNI" 

    | project TimeGenerated, clientIp_s, sni_s, requestUri_s, userAgent_s

     

    AzureDiagnostics 

    //AFD standard/premium, run this to determine if any of the resources have domain fronting behavior and have domain fronting blocking enabled. 
    | where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"

    | where result_s  == "SSLMismatchedSNI" 

    | project TimeGenerated, clientIp_s, sni_s, requestUri_s, userAgent_s

    The information above is shared by the product team in the blogpost below.

    https://techcommunity.microsoft.com/t5/azure-networking-blog/prohibiting-domain-fronting-with-azure-front-door-and-azure-cdn/ba-p/4006619

    Please follow the documentation below to enable diagnostic logging.

    AFD: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-logs#configure-logs

    CDN: https://learn.microsoft.com/en-us/azure/cdn/cdn-azure-diagnostic-logs#enable-logging-with-the-azure-portal

    Hope this helps! Please let me know if you have any additional questions. Thank you!


    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful