MC236026: changes to private CDN

%3CLINGO-SUB%20id%3D%22lingo-sub-2097484%22%20slang%3D%22en-US%22%3EMC236026%3A%20changes%20to%20private%20CDN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2097484%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20question%20is%20posted%20as%20a%20knee-jerk%20reaction%20to%20the%20subject%20Message%20Center%20announcement%20and%20is%20made%20mostly%20in%20ignorance%20of%20the%20current%20arrangements%20for%20CDNs%2C%20so%20feel%20free%20to%20point%20out%20basic%20errors%20and%20incorrect%20assumptions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMC236026%20announces%20that%20private%20CDNs%20for%20SPO%20will%20be%20moving%20from%20Akamai%20to%20Azure%20in%20Q2.%20Does%20this%20represent%20any%20change%20in%20the%20URL%20hostnames%20or%20paths%20we%20are%20likely%20to%20see%20for%20CDNs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Furls-and-ip-address-ranges%3Fview%3Do365-worldwide%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EO365%20URL%20and%20IPs%3C%2FA%3E%20(a%20regular%20document%20all%20of%20us%20managing%20access%20through%20a%20web%20proxy%20or%20firewall%20are%20drearily%20familiar%20with)%20includes%20a%20wildcard%20*.sharepointonline.com%20which%20in%20turn%20will%20automatically%20include%20both%20publiccdn.sharepointonline.com%2F%3CTENANT%3E.sharepoint.com%2Fsites%2F...%20and%20privatecdn.sharepointonline.com%2F%3CTENANT%3E.sharepoint.com%2Fsites%2F...%3C%2FTENANT%3E%3C%2FTENANT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20of%20the%20attractions%20of%20SPO%20for%20me%20has%20been%20that%20the%20core%20resource%2C%20%3CTENANT%3E.sharepoint.com%20is%20named%20rather%20than%20being%20obfuscated%20behind%20an%20indeterminate%20reference.%20I%20can%20distinguish%20between%20my%20tenancy%20and%20others.%20Not%20all%20security%20solutions%20are%20sensitive%20to%20paths%2C%20and%20PAC%20files%20are%20not%20(because%20most%20browsers%20cache%20at%20the%20host%20name).%3C%2FTENANT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShould%20I%20therefore%20regard%20publiccdn%20and%20privatecdn.sharepointonline.com%20as%20risks%20if%20I%20cannot%20distinguish%20whose%20content%20is%20in%20there%3F%20Will%20my%20tenancy%20automatically%20have%20CDNs%20even%20if%20none%20have%20been%20configured%20by%20our%20admin%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2097484%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2098387%22%20slang%3D%22en-US%22%3ERe%3A%20MC236026%3A%20changes%20to%20private%20CDN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2098387%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F523058%22%20target%3D%22_blank%22%3E%40ExMSW4319%3C%2FA%3E%26nbsp%3BI'm%20guessing%20you%20currently%20allow%20the%20Akamai%20CDN%20through%20as%20it's%20in%20the%20default%20Required%20category.%20This%20currently%20carries%20all%20the%20public%20and%20private%20CDN%20traffic%20prior%20to%20this%20change%2C%20so%20you've%20never%20been%20able%20to%20tell%20the%20difference%20between%20Public%20and%20Private%20CDN%20traffic%20previously.%20I%20don't%20think%20this%20change%20makes%20any%20difference%20to%20the%20access%20to%20the%20data%20that%20is%20served.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

This question is posted as a knee-jerk reaction to the subject Message Center announcement and is made mostly in ignorance of the current arrangements for CDNs, so feel free to point out basic errors and incorrect assumptions.

 

MC236026 announces that private CDNs for SPO will be moving from Akamai to Azure in Q2. Does this represent any change in the URL hostnames or paths we are likely to see for CDNs?

 

O365 URL and IPs (a regular document all of us managing access through a web proxy or firewall are drearily familiar with) includes a wildcard *.sharepointonline.com which in turn will automatically include both publiccdn.sharepointonline.com/<tenant>.sharepoint.com/sites/... and privatecdn.sharepointonline.com/<tenant>.sharepoint.com/sites/...

 

One of the attractions of SPO for me has been that the core resource, <tenant>.sharepoint.com is named rather than being obfuscated behind an indeterminate reference. I can distinguish between my tenancy and others. Not all security solutions are sensitive to paths, and PAC files are not (because most browsers cache at the host name).

 

Should I therefore regard publiccdn and privatecdn.sharepointonline.com as risks if I cannot distinguish whose content is in there? Will my tenancy automatically have CDNs even if none have been configured by our admin?

1 Reply

@ExMSW4319 I'm guessing you currently allow the Akamai CDN through as it's in the default Required category. This currently carries all the public and private CDN traffic prior to this change, so you've never been able to tell the difference between Public and Private CDN traffic previously. I don't think this change makes any difference to the access to the data that is served.