Microsoft Azure released a new update for Front Door and CDN. I use CDN integration with a storage account for my app users to retrieve content in the browser. If there are any issues on my app side fetching your update, please check

Narayanan 0

ChaitanyaNaykodi-MSFT 23,181 Reputation points Microsoft Employee

2023-11-16T01:24:06.48+00:00

@Narayanan

Thank you for reaching out. I did not understand the exact issue here, can you please elaborate? and share any error received. Thank you!

Narayanan 0

Azure Front Door and Azure CDN Standard from Microsoft (classic) will block domain fronting for existing resources beginning on January 8, 2024.


Take action to stop domain fronting on your application before 8 January 2024 You’re receiving this email because you’re currently using Azure Front Door or Azure CDN Standard from Microsoft (classic). We’ve been making progressive changes to Azure Front Door and Azure CDN from Microsoft to align with our commitment to prevent domain fronting behavior. Starting from 8 January 2024, all existing Azure Front Door and Azure CDN Standard from Microsoft (classic) resources will block any HTTP request that exhibits domain fronting behavior. The block implementation will start roll out on 8 January 2024 and will take one week or two weeks for the change to roll out to all regions. The following is a summary of the changes related to blocking domain fronting behavior on Azure Front Door and Azure CDN Standard from Microsoft (classic) in the past 18 months: On 29 April 2022, we introduced an option to enable blocking domain fronting for existing or newly created resources of these types by submitting a support request. You can find more information on this feature on the Generally available: Controls to block domain fronting behavior on customer resources update. On 8 November 2022, we implemented a new policy that blocks any HTTP request that exhibits domain fronting behavior on any resource of these types that was created after this date. You can learn more about this policy on the Generally available: Block domain fronting behavior on newly created customer resources update. On 25 September 2023, we revised the domain fronting blocking restrictions for Azure Front Door based on customer feedback and security considerations. We now allow requests with mismatch TLS SNI extension and host headers if both values are added as domains to Azure Front Door in the same subscription. You can read more about this update on the General availability: Domain fronting update on Azure Front Door and Azure CDN update. Recommended action If your application or API uses a different TLS SNI extension than the request Host header, and these two values aren’t added as domains to Azure Front Door in the same subscription, you’ll need to update your application or API by 8 January 2024, to avoid any potential impact from this change. If you need any further assistance, please submit a support request with your subscription details and your Front Door or Azure CDN from Microsoft resource information.

Take action to stop domain fronting on your application before 8 January 2024 You’re receiving this email because you’re currently using Azure Front Door or Azure CDN Standard from Microsoft (classic). We’ve been making progressive changes to Azure Front Door and Azure CDN from Microsoft to align with our commitment to prevent domain fronting behavior. Starting from 8 January 2024, all existing Azure Front Door and Azure CDN Standard from Microsoft (classic) resources will block any HTTP request that exhibits domain fronting behavior. The block implementation will start roll out on 8 January 2024 and will take one week or two weeks for the change to roll out to all regions. The following is a summary of the changes related to blocking domain fronting behavior on Azure Front Door and Azure CDN Standard from Microsoft (classic) in the past 18 months: On 29 April 2022, we introduced an option to enable blocking domain fronting for existing or newly created resources of these types by submitting a support request. You can find more information on this feature on the Generally available: Controls to block domain fronting behavior on customer resources update. On 8 November 2022, we implemented a new policy that blocks any HTTP request that exhibits domain fronting behavior on any resource of these types that was created after this date. You can learn more about this policy on the Generally available: Block domain fronting behavior on newly created customer resources update. On 25 September 2023, we revised the domain fronting blocking restrictions for Azure Front Door based on customer feedback and security considerations. We now allow requests with mismatch TLS SNI extension and host headers if both values are added as domains to Azure Front Door in the same subscription. You can read more about this update on the General availability: Domain fronting update on Azure Front Door and Azure CDN update. Recommended action If your application or API uses a different TLS SNI extension than the request Host header, and these two values aren’t added as domains to Azure Front Door in the same subscription, you’ll need to update your application or API by 8 January 2024, to avoid any potential impact from this change. If you need any further assistance, please submit a support request with your subscription details and your Front Door or Azure CDN from Microsoft resource information.

In the Azure portal, this was sent on my behalf. However, I haven't hosted my application using Front Door; instead, I'm using CDN with a backend pool on a Storage account to retrieve certain objects. Moreover, my endpoint is configured to use the HTTPS protocol. So, my concern is whether this update will impact my application's ability to retrieve objects or not.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
ChaitanyaNaykodi-MSFT 23,181 Reputation points Microsoft Employee

2023-11-17T02:53:34.69+00:00
@Narayanan

Thank you for sharing additional information.

Just for some background as documented here. Domain fronting is a networking technique that enables a backend domain to utilize the security credentials of a fronting domain. For example, if you have two domains under the same content delivery network (CDN), domain #1 may have certain restrictions placed on it (regional access limitations, etc.) that domain #2 does not. By taking the valid domain #2 and placing it into the SNI header, and then using domain #1 in the HTTP header, it’s possible to circumvent those restrictions. To the outside observer, all subsequent traffic appears to be headed to the fronting domain, with no ability to discern the intended destination for particular user requests within that traffic. It is possible that the fronting domain and the backend domain do not belong to the same owner.

I understand you are using CDN integrated with your storage account and you have configured HTTPS. Can you please provide the information below?

Can you please share what CDN SKU you are using?

Can you please confirm if your CDN Profile has been created before November 8, 2022? because the Microsoft Standard CDN (classic) Profiles created after November 8, 2022 will have the domain fronting block feature enabled by default.

Thank you!
Narayanan 0 Reputation points

2023-11-17T06:11:46.5033333+00:00

@ChaitanyaNaykodi-MSFT

I'm using the CDN SKU in the Classic tier.
I have two CDNs: one was created before November 8, 2022, and the other was created in February 2023.

Thank you!
Narayanan 0 Reputation points

2023-11-20T07:32:30.6233333+00:00

@ChaitanyaNaykodi-MSFT

Dear ChaitanyaNaykodi-MSFT, we are awaiting your response. Kindly confirm whether any changes are needed on our end or if no adjustments are required.

Thank you!
ChaitanyaNaykodi-MSFT 23,181 Reputation points Microsoft Employee

2023-11-22T02:47:03.9066667+00:00

@Narayanan

Thank you for sharing additional details here.

For the CDN profile created in February 2023 there will not be any impact as the domain fronting feature is enabled by default for it.

Regarding the CDN profile created before November 8, 2022, the product team is currently working a on a feature which will help identify if there will be any impact and they will be releasing it in the upcoming weeks. I will keep you posted as soon as the feature is available. Thank you!
Narayanan Devarajan 0 Reputation points

2023-11-24T06:44:10.9833333+00:00

@ChaitanyaNaykodi-MSFT

Thank you for your kind reply.

I created a CDN resource before November 8, 2022. Could you please provide guidance on what steps I should take to ensure there are no impacts on my applications?..

Thank you!
ChaitanyaNaykodi-MSFT 23,181 Reputation points Microsoft Employee

2023-11-29T01:56:34.77+00:00

@Narayanan

Thank you for getting back and apologies for the delay here. I have highlighted this issue internally and will share an update shortly.
Narayanan Devarajan 0 Reputation points

2023-11-29T06:26:01.9866667+00:00

@ChaitanyaNaykodi-MSFT

Okay, please update me as soon as possible. I'm waiting for your response before making any changes to my CDN configuration.

Thank you!
ChaitanyaNaykodi-MSFT 23,181 Reputation points Microsoft Employee

2023-11-29T06:57:54.9833333+00:00

@Narayanan

Thank you for getting back. I got a response back from the team.

The product team is currently working on a feature which will help determine the impact of this change for your Azure CDN. This feature planned to be rolled out by mid of December and I will keep you posted as soon as I hear back from them. Thank you!
Narayanan Devarajan 0 Reputation points

2023-11-29T13:53:28.74+00:00

@ChaitanyaNaykodi-MSFT

Thank you for your reply. I'm waiting for your update.

Thank you!

2 answers

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more
ChaitanyaNaykodi-MSFT 23,181 Reputation points Microsoft Employee

2023-12-21T07:16:17.2466667+00:00

@Narayanan

Thank you for your patience here.

I got an update from the product team below. Please follow the guideline below for you Azure CDN.

To provide you with more time and additional assistance, we have decided to postpone the enforcement date to January 22, 2024. This means you will have more time to make informed decisions on domain fronting and avoid any service disruption. We are also introducing two new log fields to help you identify if an Azure Front Door or Azure CDN from Microsoft (classic) resources display domain fronting behavior. The new log fields will be available on December 25, 2023. It may require up to two weeks for the enforcement of blocking changes to propagate on the global PoPs (point of presences) starting from January 22, 2024.

How can I check if my Azure Front Door and Azure CDN Standard from Microsoft (classic) resources display domain fronting behavior?

Azure Front Door will introduce two new log fields, which will be available by the week of December 25, 2023.

Result- which will indicate if there is a SNI and host mismatch. When you see “SSLMismatchedSNI under the Result field, it means the request passed through successfully, but with a warning of a mismatch. Such request would be rejected by Azure Front Door after January 22, 2024, due to violating domain fronting. When you see SSLMismatchedSNI under ErrorInfo, it means the request was already blocked by domain fronting.

Sni - which will provide the specific SNI to compare with host from requestUri for further actions.

Once the log fields are supported, you need to enable access log and run the following query to obtain the list of domains with SNI/host mismatch. You can adjust the query per your needs.

Note: To run the query for Azure CDN Standard from Microsoft (classic), please replace the first where condition with | where ResourceProvider == "MICROSOFT.CDN" and Category == "AzureCdnAccessLog". To run the query for Azure Front Door (classic), please replace the first where with | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog".

AzureDiagnostics

//AFD standard/premium, run this to determine if any of the resources have domain fronting behavior

| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"

| where result_s == "SSLMismatchedSNI" or errorInfo_s == "SSLMismatchedSNI"

| project TimeGenerated, clientIp_s, sni_s, requestUri_s, userAgent_s

AzureDiagnostics

//AFD standard/premium, run this to determine if any of the resources have domain fronting behavior but not have domain fronting blocking enabled

| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"

| where result_s == "SSLMismatchedSNI"

| project TimeGenerated, clientIp_s, sni_s, requestUri_s, userAgent_s

AzureDiagnostics

//AFD standard/premium, run this to determine if any of the resources have domain fronting behavior and have domain fronting blocking enabled.

| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"

| where result_s == "SSLMismatchedSNI"

| project TimeGenerated, clientIp_s, sni_s, requestUri_s, userAgent_s

The information above is shared by the product team in the blogpost below.

https://techcommunity.microsoft.com/t5/azure-networking-blog/prohibiting-domain-fronting-with-azure-front-door-and-azure-cdn/ba-p/4006619

Please follow the documentation below to enable diagnostic logging.

AFD: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-logs#configure-logs

CDN: https://learn.microsoft.com/en-us/azure/cdn/cdn-azure-diagnostic-logs#enable-logging-with-the-azure-portal

Hope this helps! Please let me know if you have any additional questions. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
dough_boat 11 Reputation points

2024-01-02T11:17:41.9933333+00:00

@ChaitanyaNaykodi-MSFT Do you know if the "two new log fields, which will be available by the week of December 25, 2023" have actually been rolled out already?

I just enabled the logs for my CDN, and I only see the following fields:

Tenantid

TimeGenerated [UTC]

Resourceld

Category

ResourceGroup

Subscriptionld

ResourceProvider

Resource

ResourceType

OperationName

requestUri_s

httpStatusCode_d

userAgent_s

httpMethod_s

httpVersion_s

SourceSystem

Type

Resourceld

According to your guide, I should be able to see "result_s" or "errorInfo_s".

I am using Azure CDN Standard from Microsoft (classic), so I am filtering by Category == "AzureCdnAccessLog"

Narayanan 0 Reputation points

2024-01-19T09:44:20.8566667+00:00

@ChaitanyaNaykodi-MSFT

I appreciate your prior assistance. I have some questions again, so please provide clarifications. So kindly recommend me

Currently, in our Azure environment, we are utilizing seven Application Insights. I have received an email indicating that some action is required. It states, "Classic Application Insights will be retired on 29 February 2024—migrate to workspace-based Application Insights." Does this mean that our seven Application Insights will be retired on 29th February? If so, what steps should we take? Do we need to create a workspace monitor, and if I create it, will it function similarly to Application Insights?

ping here that mail

We're retiring classic application insights in Azure Monitor on 29 February 2024. Classic application insights will be retired on 29 February 2024—migrate to workspace-based application insights You're receiving this email because you use classic application insights in Azure Monitor. On 29 February 2024, classic application insights in Azure Monitor will be retired and you'll need to migrate your resources to workspace-based application insights by that date. As part of this change, beginning 1 September 2023, any new application insights resources you create will be workspace-based. Workspace-based application insights offers improved functionality such as: • Continuous export of app logs via diagnostic settings. • The ability to collect data from multiple resources in a single Azure Monitor log analytics workspace. • Enhanced encryption and optimization with a dedicated cluster. • New options to reduce costs. Although most customers' pricing will remain the same, some may experience a change associated with this migration. Use the Azure pricing calculator to confirm your pricing. Required action To avoid any disruptions in service, migrate your resources to workspace-based application insights by 29 February 2024. More information If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and you need technical help, please create a support request: 1. For Summary, type a description of your issue. 2. For Issue type, select Technical. 3. For Subscription, select your subscription. 4. For Service, select My services. 5. For Service type, select Application Insights. 6. For Resource, select the resource you need help with. 7. For Problem type, select Deprecated Features. 8. For Problem subtype, select Migrate from Classic to Log Analytics based Application Insights. Account Information Subscription ID: 5f2f1c3f-2766-4018-b2d2-4981e98dedbe Please help us improve our communication by telling us what you think about this email in a survey. This message from Microsoft is an important part of a program, service, or product that you or your company purchased or participates in. Microsoft respects your privacy. Please read our Privacy Statement. This is a mandatory service communication. To set your contact preferences for other communications, visit the Promotional Communications Manager. Microsoft Corporation, One Microsoft Way, Redmond, WA 98052

Narayanan 0 Reputation points

2024-01-25T10:47:09.81+00:00

@ChaitanyaNaykodi-MSFT I appreciate your prior assistance. I have some questions again, so please provide clarifications. So kindly recommend me Currently, in our Azure environment, we are utilizing seven Application Insights. I have received an email indicating that some action is required. It states, "Classic Application Insights will be retired on 29 February 2024—migrate to workspace-based Application Insights." Does this mean that our seven Application Insights will be retired on 29th February? If so, what steps should we take? Do we need to create a workspace monitor, and if I create it, will it function similarly to Application Insights? ping here that mail

We're retiring classic application insights in Azure Monitor on 29 February 2024. Classic application insights will be retired on 29 February 2024—migrate to workspace-based application insights You're receiving this email because you use classic application insights in Azure Monitor. On 29 February 2024, classic application insights in Azure Monitor will be retired and you'll need to migrate your resources to workspace-based application insights by that date. As part of this change, beginning 1 September 2023, any new application insights resources you create will be workspace-based. Workspace-based application insights offers improved functionality such as: • Continuous export of app logs via diagnostic settings. • The ability to collect data from multiple resources in a single Azure Monitor log analytics workspace. • Enhanced encryption and optimization with a dedicated cluster. • New options to reduce costs. Although most customers' pricing will remain the same, some may experience a change associated with this migration. Use the Azure pricing calculator to confirm your pricing. Required action To avoid any disruptions in service, migrate your resources to workspace-based application insights by 29 February 2024. More information If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and you need technical help, please create a support request: 1. For Summary, type a description of your issue. 2. For Issue type, select Technical. 3. For Subscription, select your subscription. 4. For Service, select My services. 5. For Service type, select Application Insights. 6. For Resource, select the resource you need help with. 7. For Problem type, select Deprecated Features. 8. For Problem subtype, select Migrate from Classic to Log Analytics based Application Insights. Account Information Subscription ID: 5f2f1c3f-2766-4018-b2d2-4981e98dedbe Please help us improve our communication by telling us what you think about this email in a survey. This message from Microsoft is an important part of a program, service, or product that you or your company purchased or participates in. Microsoft respects your privacy. Please read our Privacy Statement. This is a mandatory service communication. To set your contact preferences for other communications, visit the Promotional Communications Manager. Microsoft Corporation, One Microsoft Way, Redmond, WA 98052

ChaitanyaNaykodi-MSFT 23,181 Reputation points Microsoft Employee

2024-02-07T01:40:12.8566667+00:00

@Narayanan
Apologies for missing out on your reply above. Actually, the issue above related to Azure application insights is out of my expertise. Can you please create a new question with "Azure Monitor" tag? and someone from Monitoring team will provide help.
Sign in to comment