Hello Folks,
As @Michael mentioned last month Azure Networking is the foundation of your infrastructure in Azure. So, we’re happy to bring you a monthly update on What’s new in Azure Networking.
In this blog post, we’ll cover what new with Azure Networking.
Since November 8, 2022, all newly created Azure Front Door, Azure Front Door (classic) or Azure CDN Standard from Microsoft (classic) resources will block any HTTP request that exhibits domain fronting behavior.
Domain fronting is a technique used to bypass internet controls by making it appear that a connection to a forbidden website is actually a connection to an allowed website. This is done by using a specific hostname that is shared by multiple websites, with the actual destination website being hidden in the Application Layer Protocol (SNI) extension of the Transport Layer Security (TLS) handshake.
If you want to block domain fronting for any existing Azure Front Door, Azure Front Door (classic), or Azure CDN Standard from Microsoft (classic) resources created before November 1, 2022, please open a support request, provide your subscription and Azure Front Door, Azure Front Door (classic), or Azure CDN Standard from Microsoft (classic) resource information in the support request.
Once blocking of domain fronting has been enabled, Azure Front Door, Azure Front Door (classic), and Azure CDN Standard from Microsoft (classic) resources will block any HTTP requests that exhibit this behavior.
To learn more please visit the documentation page.
Azure Front Door and CDN documentation
Introduction to Azure Front Door
Load balance your web service traffic with Front Door
Load balance HTTP(S) traffic in Azure
Azure’s Web Application Firewall (WAF) running either on Azure Front Door, or Azure’s Application Gateway, now support additional features that help you improve your security posture and make it easier to manage logging across resources.
To continue with more Azure Web Application Firewall (WAF) goodness. The Azure Application Gateway running the Bot Protection rule set and Core Rule Set (CRS) 3.2 or higher now supports setting actions on a rule-by-rule basis.
This gives you greater flexibility when deciding how the WAF handles a request that matches a rule’s conditions. The following per rule actions are supported:
For more information regarding “per rule actions”, please visit the regional WAF documentation.
In November 2022 (Yes, we missed that one last month…) The product Group announced the general availability of the Default Rule Set 2.1 (DRS 2.1) on Azure's global Web Application Firewall (WAF) running on Azure Front Door.
DRS 2.1 rules offer better protection than earlier versions of the DRS. It includes additional rules developed by the Microsoft Threat Intelligence team and updates to signatures to reduce false positives. It also supports transformations beyond just URL decoding. DRS 2.1 includes 17 rule groups, as shown in the table below. Each group contains multiple rules, and you can customize behavior for individual rules, rule groups, or entire rule set.
Rule group |
Description |
General group |
|
Lock-down methods (PUT, PATCH) |
|
Protect against protocol and encoding issues |
|
Protect against header injection, request smuggling, and response splitting |
|
Protect against file and path attacks |
|
Protect against remote file inclusion (RFI) attacks |
|
Protect again remote code execution attacks |
|
Protect against PHP-injection attacks |
|
Protect against Node JS attacks |
|
Protect against cross-site scripting attacks |
|
Protect against SQL-injection attacks |
|
Protect against session-fixation attacks |
|
Protect against JAVA attacks |
|
Protect against Web shell attacks |
|
Protect against AppSec attacks |
|
Protect against SQLI attacks |
|
Protect against CVE attacks |
For more information on what's included in this release, please see Tuning Web Application Firewall (WAF) for Azure Front Door and managed rules documentation.
Introduction to Azure Web Application Firewall
Protect endpoints using Web Application Firewall
Using Microsoft Sentinel with Azure WAF
How to use the new SQLi and XSS detection queries
Application Gateway’s limits documentation
OK this is not technically a new feature or service but it’s cool that you can now start building with free services. Over 55 always free services with an Azure free account and Pay-as-you-go.
Therefore, if you are using an Azure Free account or a Pay-as-you-go account 55+ services are free… Always. (I mean as long as you have the account)
See the list of free services here: Free Services | Microsoft Azure.
See you next month!
Cheers
Pierre
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.