Thank you for your patience here.
I got an update from the product team below. Please follow the guideline below for you Azure CDN.
To provide you with more time and additional assistance, we have decided to postpone the enforcement date to January 22, 2024. This means you will have more time to make informed decisions on domain fronting and avoid any service disruption. We are also introducing two new log fields to help you identify if an Azure Front Door or Azure CDN from Microsoft (classic) resources display domain fronting behavior. The new log fields will be available on December 25, 2023. It may require up to two weeks for the enforcement of blocking changes to propagate on the global PoPs (point of presences) starting from January 22, 2024.
How can I check if my Azure Front Door and Azure CDN Standard from Microsoft (classic) resources display domain fronting behavior?
Azure Front Door will introduce two new log fields, which will be available by the week of December 25, 2023.
Result- which will indicate if there is a SNI and host mismatch. When you see “SSLMismatchedSNI under the Result field, it means the request passed through successfully, but with a warning of a mismatch. Such request would be rejected by Azure Front Door after January 22, 2024, due to violating domain fronting. When you see SSLMismatchedSNI under ErrorInfo, it means the request was already blocked by domain fronting.
Sni - which will provide the specific SNI to compare with host from requestUri for further actions.
Once the log fields are supported, you need to enable access log and run the following query to obtain the list of domains with SNI/host mismatch. You can adjust the query per your needs.
Note: To run the query for Azure CDN Standard from Microsoft (classic), please replace the first where condition with | where ResourceProvider == "MICROSOFT.CDN" and Category == "AzureCdnAccessLog". To run the query for Azure Front Door (classic), please replace the first where with | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog".
AzureDiagnostics
//AFD standard/premium, run this to determine if any of the resources have domain fronting behavior
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"
| where result_s == "SSLMismatchedSNI" or errorInfo_s == "SSLMismatchedSNI"
| project TimeGenerated, clientIp_s, sni_s, requestUri_s, userAgent_s
AzureDiagnostics
//AFD standard/premium, run this to determine if any of the resources have domain fronting behavior but not have domain fronting blocking enabled
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"
| where result_s == "SSLMismatchedSNI"
| project TimeGenerated, clientIp_s, sni_s, requestUri_s, userAgent_s
AzureDiagnostics
//AFD standard/premium, run this to determine if any of the resources have domain fronting behavior and have domain fronting blocking enabled.
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"
| where result_s == "SSLMismatchedSNI"
| project TimeGenerated, clientIp_s, sni_s, requestUri_s, userAgent_s
The information above is shared by the product team in the blogpost below.
Please follow the documentation below to enable diagnostic logging.
AFD: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-logs#configure-logs
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.