How to limit Azure Front Door Cipher Suites Manually?

Aidin Azimi 50 Reputation points
2023-06-02T07:48:57.93+00:00

Hi,

Right now there is a preview feature for Min TLS Cipher Suite on app Services and I know that we have a premium feature for End-to-end TLS with Azure Front Door.

We are using Azure Front Door for our Static Website and we have the Premium tier selected.

There is an issue with one of our Pen Tests which we need to limit the Front Door Cipher suites even more.

When we set the TLS to 1.2 we still have the Cipher Suites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 & TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 in the list which based on our PenTest Results, they should be removed since they considered medium Security level.

Is there any possibility for a feature to have same functionality of Min TLS on AppServices in Azure Front Door?

Any API Calls or Cli configuration would also be fine for us, as far as the possiblity to select the minimum Cipher Suites manually for Azure Front Door.

Or is there any CDN possiblity in Azure which we can use to give us the flexibility to select the Cipher suites?

Best,

Aidin Azimi

AppsFactory GmbH

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
708 questions
{count} votes

6 answers

Sort by: Most helpful
  1. Lee Cashion 75 Reputation points
    2024-03-28T19:54:49.89+00:00
    • It is the end of March 2024, and the solution for TLS Ciphers has NOT been seen. Makes me wonder if we need to look to move away from Front Door.
    7 people found this answer helpful.

  2. ChaitanyaNaykodi-MSFT 26,861 Reputation points Microsoft Employee
    2024-04-30T17:18:32.86+00:00

    @Aidin Azimi @James Tewes Admin Christopher Rodgers Crain, Cliff Andrew Cliffe Embers99 Shelton, Chris SITI-PTIY/BAA Maarten Lee Cashion

    Apologies for the prolonged silence here and delay. I heard back from the team and they are close to releasing this feature. Initially the feature will be released in private preview. If you wish to participate in the private preview feature, please send an email as requested below and I will share more details on how to enroll for this preview.

    Please send an email to azcommunity@microsoft.com with the below details.

    Subject: Attn Chaitanya

    Thread URL: Link to this thread.

    Thank you! Please let us know if you have any questions.

    5 people found this answer helpful.

  3. ChaitanyaNaykodi-MSFT 26,861 Reputation points Microsoft Employee
    2023-07-03T21:45:26.1933333+00:00

    @Aidin Azimi , @James Tewes Admin

    Thank you for reaching out and apologies for the delay here.

    Currently disabling specific ciphers is not supported for Azure Front Door. The team is actively working on this feature, and it will be rolled out soon. The current target is to release this as preview feature by 4th quarter 2023. I will update this thread if there is any change in the timeline.

    Hope this helps! Please let me know if you have any additional questions.

    Thank you!


    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    3 people found this answer helpful.

  4. VasimTamboli 5,095 Reputation points
    2023-06-02T15:45:07.4666667+00:00

    Hello Aidin Azimi,

    Currently, Azure Front Door does not provide a built-in feature to manually limit the cipher suites. However, you can achieve this by using Azure Application Gateway in combination with Azure Front Door.

    Here's an approach you can follow:

    Set up Azure Application Gateway: Deploy an Azure Application Gateway in front of your Azure Front Door. Azure Application Gateway provides more granular control over the cipher suites and TLS settings.

    Configure Cipher Suites on Azure Application Gateway: Configure the cipher suites on the Azure Application Gateway to include only the desired ones, excluding TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384. You can use the PowerShell or Azure CLI to configure the Application Gateway with the desired cipher suites.

    Route Traffic to Azure Front Door: Configure the Azure Application Gateway to route the traffic to your Azure Front Door backend. This way, all incoming requests will pass through the Application Gateway before reaching Azure Front Door.

    By using this setup, you can have more control over the cipher suites and TLS settings by configuring them on the Azure Application Gateway. This gives you the flexibility to limit the cipher suites based on your specific security requirements.

    Alternatively, if you are looking for CDN options in Azure, you can consider using Azure CDN. Azure CDN also provides features like TLS termination and allows you to configure the supported cipher suites. You can configure Azure CDN to front your static website and apply the desired cipher suite settings.

    Please note that both Azure Application Gateway and Azure CDN have their own pricing and considerations. Evaluate and choose the option that best fits your requirements and budget.

    I hope this information helps you in achieving your desired cipher suite configuration for Azure Front Door. If you have any further questions, feel free to ask!

    2 people found this answer helpful.

  5. Embers99 50 Reputation points
    2024-02-28T12:32:20.63+00:00

    Any update on this feature? 2023 has now past and we are in the same position of having pen tests flag weak ciphers which we must remediate. Thanks.

    2 people found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.