Microsoft Azure released a new update for Front Door and CDN. I use CDN integration with a storage account for my app users to retrieve content in the browser. If there are any issues on my app side fetching your update, please check

Narayanan 0 Reputation points
2023-11-15T14:29:27.32+00:00

Microsoft Azure released a new update for Front Door and CDN. I use CDN integration with a storage account for my app users to retrieve content in the browser. If there are any issues on my app side fetching your update, please check

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
677 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,149 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,757 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

  2. ChaitanyaNaykodi-MSFT 26,101 Reputation points Microsoft Employee
    2023-12-21T07:16:17.2466667+00:00

    @Narayanan

    Thank you for your patience here.

    I got an update from the product team below. Please follow the guideline below for you Azure CDN.

    To provide you with more time and additional assistance, we have decided to postpone the enforcement date to January 22, 2024. This means you will have more time to make informed decisions on domain fronting and avoid any service disruption. We are also introducing two new log fields to help you identify if an Azure Front Door or Azure CDN from Microsoft (classic) resources display domain fronting behavior. The new log fields will be available on December 25, 2023. It may require up to two weeks for the enforcement of blocking changes to propagate on the global PoPs (point of presences) starting from January 22, 2024.

    How can I check if my Azure Front Door and Azure CDN Standard from Microsoft (classic) resources display domain fronting behavior? 

    Azure Front Door will introduce two new log fields, which will be available by the week of December 25, 2023.

    Result- which will indicate if there is a SNI and host mismatch. When you see “SSLMismatchedSNI under the Result field, it means the request passed through successfully, but with a warning of a mismatch. Such request would be rejected by Azure Front Door after January 22, 2024, due to violating domain fronting. When you see SSLMismatchedSNI under ErrorInfo, it means the request was already blocked by domain fronting.

    Sni - which will provide the specific SNI to compare with host from requestUri for further actions.

    Once the log fields are supported, you need to enable access log and run the following query to obtain the list of domains with SNI/host mismatch. You can adjust the query per your needs. 

    Note: To run the query for Azure CDN Standard from Microsoft (classic), please replace the first where condition with | where ResourceProvider == "MICROSOFT.CDN" and Category == "AzureCdnAccessLog". To run the query for Azure Front Door (classic), please replace the first where with | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog".

     

    AzureDiagnostics 

    //AFD standard/premium, run this to determine if any of the resources have domain fronting behavior

    | where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"

    | where result_s  == "SSLMismatchedSNI" or errorInfo_s == "SSLMismatchedSNI"

    | project TimeGenerated, clientIp_s, sni_s, requestUri_s, userAgent_s

     

    AzureDiagnostics 

    //AFD standard/premium, run this to determine if any of the resources have domain fronting behavior but not have domain fronting blocking enabled

    | where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"

    | where result_s  == "SSLMismatchedSNI" 

    | project TimeGenerated, clientIp_s, sni_s, requestUri_s, userAgent_s

     

    AzureDiagnostics 

    //AFD standard/premium, run this to determine if any of the resources have domain fronting behavior and have domain fronting blocking enabled. 

    | where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"

    | where result_s  == "SSLMismatchedSNI" 

    | project TimeGenerated, clientIp_s, sni_s, requestUri_s, userAgent_s

    The information above is shared by the product team in the blogpost below.

    https://techcommunity.microsoft.com/t5/azure-networking-blog/prohibiting-domain-fronting-with-azure-front-door-and-azure-cdn/ba-p/4006619

    Please follow the documentation below to enable diagnostic logging.

    AFD: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-logs#configure-logs

    CDN: https://learn.microsoft.com/en-us/azure/cdn/cdn-azure-diagnostic-logs#enable-logging-with-the-azure-portal

    Hope this helps! Please let me know if you have any additional questions. Thank you!


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.