Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
490 questions
Microsoft Azure released a new update for Front Door and CDN. I use CDN integration with a storage account for my app users to retrieve content in the browser. If there are any issues on my app side fetching your update, please check
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 89%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Narayanan
0
Reputation points
Microsoft Azure released a new update for Front Door and CDN. I use CDN integration with a storage account for my app users to retrieve content in the browser. If there are any issues on my app side fetching your update, please check
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 17,661 Reputation points Microsoft Employee2023-11-16T01:24:06.48+00:00 Thank you for reaching out. I did not understand the exact issue here, can you please elaborate? and share any error received. Thank you!
-
Narayanan 0 Reputation points
2023-11-16T06:10:45.8833333+00:00 Azure Front Door and Azure CDN Standard from Microsoft (classic) will block domain fronting for existing resources beginning on January 8, 2024.
Take action to stop domain fronting on your application before 8 January 2024 You’re receiving this email because you’re currently using Azure Front Door or Azure CDN Standard from Microsoft (classic). We’ve been making progressive changes to Azure Front Door and Azure CDN from Microsoft to align with our commitment to prevent domain fronting behavior. Starting from 8 January 2024, all existing Azure Front Door and Azure CDN Standard from Microsoft (classic) resources will block any HTTP request that exhibits domain fronting behavior. The block implementation will start roll out on 8 January 2024 and will take one week or two weeks for the change to roll out to all regions. The following is a summary of the changes related to blocking domain fronting behavior on Azure Front Door and Azure CDN Standard from Microsoft (classic) in the past 18 months: On 29 April 2022, we introduced an option to enable blocking domain fronting for existing or newly created resources of these types by submitting a support request. You can find more information on this feature on the Generally available: Controls to block domain fronting behavior on customer resources update. On 8 November 2022, we implemented a new policy that blocks any HTTP request that exhibits domain fronting behavior on any resource of these types that was created after this date. You can learn more about this policy on the Generally available: Block domain fronting behavior on newly created customer resources update. On 25 September 2023, we revised the domain fronting blocking restrictions for Azure Front Door based on customer feedback and security considerations. We now allow requests with mismatch TLS SNI extension and host headers if both values are added as domains to Azure Front Door in the same subscription. You can read more about this update on the General availability: Domain fronting update on Azure Front Door and Azure CDN update. Recommended action If your application or API uses a different TLS SNI extension than the request Host header, and these two values aren’t added as domains to Azure Front Door in the same subscription, you’ll need to update your application or API by 8 January 2024, to avoid any potential impact from this change. If you need any further assistance, please submit a support request with your subscription details and your Front Door or Azure CDN from Microsoft resource information. In the Azure portal, this was sent on my behalf. However, I haven't hosted my application using Front Door; instead, I'm using CDN with a backend pool on a Storage account to retrieve certain objects. Moreover, my endpoint is configured to use the HTTPS protocol. So, my concern is whether this update will impact my application's ability to retrieve objects or not.
-
ChaitanyaNaykodi-MSFT 17,661 Reputation points Microsoft Employee
2023-11-17T02:53:34.69+00:00 Thank you for sharing additional information.
Just for some background as documented here. Domain fronting is a networking technique that enables a backend domain to utilize the security credentials of a fronting domain. For example, if you have two domains under the same content delivery network (CDN), domain #1 may have certain restrictions placed on it (regional access limitations, etc.) that domain #2 does not. By taking the valid domain #2 and placing it into the SNI header, and then using domain #1 in the HTTP header, it’s possible to circumvent those restrictions. To the outside observer, all subsequent traffic appears to be headed to the fronting domain, with no ability to discern the intended destination for particular user requests within that traffic. It is possible that the fronting domain and the backend domain do not belong to the same owner.
I understand you are using CDN integrated with your storage account and you have configured HTTPS. Can you please provide the information below?
- Can you please share what CDN SKU you are using?
- Can you please confirm if your CDN Profile has been created before November 8, 2022? because the Microsoft Standard CDN (classic) Profiles created after November 8, 2022 will have the domain fronting block feature enabled by default.
Thank you!
-
-
Narayanan 0 Reputation points
2023-11-20T07:32:30.6233333+00:00 Dear ChaitanyaNaykodi-MSFT, we are awaiting your response. Kindly confirm whether any changes are needed on our end or if no adjustments are required.
Thank you!
-
ChaitanyaNaykodi-MSFT 17,661 Reputation points Microsoft Employee
2023-11-22T02:47:03.9066667+00:00 Thank you for sharing additional details here.
For the CDN profile created in February 2023 there will not be any impact as the domain fronting feature is enabled by default for it.
Regarding the CDN profile created before November 8, 2022, the product team is currently working a on a feature which will help identify if there will be any impact and they will be releasing it in the upcoming weeks. I will keep you posted as soon as the feature is available. Thank you!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 78%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3END%3C/text%3E%3C/svg%3E)
Narayanan Devarajan 0 Reputation points2023-11-24T06:44:10.9833333+00:00 Thank you for your kind reply.
I created a CDN resource before November 8, 2022. Could you please provide guidance on what steps I should take to ensure there are no impacts on my applications?..
Thank you!
-
ChaitanyaNaykodi-MSFT 17,661 Reputation points Microsoft Employee
2023-11-29T01:56:34.77+00:00 Thank you for getting back and apologies for the delay here. I have highlighted this issue internally and will share an update shortly.
-
Narayanan Devarajan 0 Reputation points
2023-11-29T06:26:01.9866667+00:00 Okay, please update me as soon as possible. I'm waiting for your response before making any changes to my CDN configuration.
Thank you!
-
ChaitanyaNaykodi-MSFT 17,661 Reputation points Microsoft Employee
2023-11-29T06:57:54.9833333+00:00 Thank you for getting back. I got a response back from the team.
The product team is currently working on a feature which will help determine the impact of this change for your Azure CDN. This feature planned to be rolled out by mid of December and I will keep you posted as soon as I hear back from them. Thank you!
-
Narayanan Devarajan 0 Reputation points
2023-11-29T13:53:28.74+00:00
Sign in to comment