What's New in Azure Networking – January 2023

Hello Folks,

As @Michael mentioned last month Azure Networking is the foundation of your infrastructure in Azure. So, we’re happy to bring you a monthly update on What’s new in Azure Networking.

In this blog post, we’ll cover what new with Azure Networking.

Block domain fronting behavior on newly created customer resources

Since November 8, 2022, all newly created Azure Front Door, Azure Front Door (classic) or Azure CDN Standard from Microsoft (classic) resources will block any HTTP request that exhibits domain fronting behavior.

Domain fronting is a technique used to bypass internet controls by making it appear that a connection to a forbidden website is actually a connection to an allowed website. This is done by using a specific hostname that is shared by multiple websites, with the actual destination website being hidden in the Application Layer Protocol (SNI) extension of the Transport Layer Security (TLS) handshake.

If you want to block domain fronting for any existing Azure Front Door, Azure Front Door (classic), or Azure CDN Standard from Microsoft (classic) resources created before November 1, 2022, please open a support request, provide your subscription and Azure Front Door, Azure Front Door (classic), or Azure CDN Standard from Microsoft (classic) resource information in the support request.

Once blocking of domain fronting has been enabled, Azure Front Door, Azure Front Door (classic), and Azure CDN Standard from Microsoft (classic) resources will block any HTTP requests that exhibit this behavior.

To learn more please visit the documentation page.

References

Azure Front Door and CDN documentation

Introduction to Azure Front Door

Load balance your web service traffic with Front Door

Load balance HTTP(S) traffic in Azure

Feature enhancements to Azure Web Application Firewall (WAF)

Azure’s Web Application Firewall (WAF) running either on Azure Front Door, or Azure’s Application Gateway, now support additional features that help you improve your security posture and make it easier to manage logging across resources.

• SQL injection (SQLi) and cross site scripting (XSS) detection queries: New Azure WAF analytics SQLi and XSS detection rule templates simplify the process of setting up automated detection and response with Microsoft’s security incident & event management (SIEM) service: Microsoft Sentinel. Learn more about 
• Azure policies for WAF logging: The regional WAF on Application Gateway and the global WAF running on Azure Front Door now have built-in Azure policies requiring resource logs and metrics. This allows you to enforce standards for WAF deployments on collecting logs and metrics for further analysis and insights related to security events.
• Increased exclusion limit: CRS 3.2 or greater ruleset now supports exclusions limit up to 200, a 5x increase from older versions.  This increase allows you to have greater customization on how the WAF handles managed rulesets. Learn more about the 
• Bot Manager ruleset exclusion rules: Exclusions are extended to Bot Manager Rule Set 1.0. you can learn more about that in the WAF exclusions documentation
• Uppercase transform on custom rules: You can now handle case sensitivity when creating custom WAF rules using uppercase transform in addition to the lowercase transform. Learn more about WAF custom rules.

Per Rule Actions on regional Web Application Firewall

To continue with more Azure Web Application Firewall (WAF) goodness.  The Azure Application Gateway running the Bot Protection rule set and Core Rule Set (CRS) 3.2 or higher now supports setting actions on a rule-by-rule basis.

This gives you greater flexibility when deciding how the WAF handles a request that matches a rule’s conditions. The following per rule actions are supported:

• Allow: The request passes through the WAF and is forwarded to the back end. No further lower priority rules can block this request.
• Block: The request is blocked and WAF sends a response to the client without forwarding the request to the back end.
• Log: Request is logged in the WAF logs and WAF continues evaluating lower priority rules.
• Anomaly Scoring: This is the default action for the Core Rule Set where total anomaly score is incrementally increased when a rule with this action is matched. 

For more information regarding “per rule actions”, please visit the regional WAF documentation.

Default Rule Set 2.1 for Azure Web Application Firewall

In November 2022 (Yes, we missed that one last month…) The product Group announced the general availability of the Default Rule Set 2.1 (DRS 2.1) on Azure's global Web Application Firewall (WAF) running on Azure Front Door.

DRS 2.1 rules offer better protection than earlier versions of the DRS. It includes additional rules developed by the Microsoft Threat Intelligence team and updates to signatures to reduce false positives. It also supports transformations beyond just URL decoding.  DRS 2.1 includes 17 rule groups, as shown in the table below. Each group contains multiple rules, and you can customize behavior for individual rules, rule groups, or entire rule set.

For more information on what's included in this release, please see Tuning Web Application Firewall (WAF) for Azure Front Door and  managed rules documentation.

References

Introduction to Azure Web Application Firewall

Protect endpoints using Web Application Firewall

Using Microsoft Sentinel with Azure WAF

How to use the new SQLi and XSS detection queries

WAF and Azure Policy

Application Gateway’s limits documentation

12 months free services for new Azure PAYG customers

OK this is not technically a new feature or service but it’s cool that you can now start building with free services.  Over 55 always free services with an Azure free account and Pay-as-you-go.

Therefore, if you are using an Azure Free account or a Pay-as-you-go account 55+ services are free… Always.  (I mean as long as you have the account)

See the list of free services here: Free Services | Microsoft Azure. 

See you next month!

Cheers

Pierre