Wired for Hybrid - What's New in Azure Networking - January 2024 edition

Hello Folks,

 

Azure Networking is the foundation of your infrastructure in Azure. Each month we bring you an update on What’s new in Azure Networking.

 

In this blog post, we’ll cover what's new with Azure Networking in January 2024.  In this blog post, we will cover the following announcements and how they can help you.

 

• Standard and High-Performance VPN Gateway SKUs will be retired
• Migration of Azure Virtual Network injected Azure Data Explorer cluster to Private Endpoints
• Security Update for Azure Front Door and Application Gateway WAF
• Prohibiting Domain Fronting with Azure Front Door and Azure CDN Standard from Microsoft
• Simplified management of Listeners TLS certificates
• Public preview: Private subnet

 

Enjoy!

 

Standard and High-Performance VPN Gateway SKUs will be retired

On 30 September 2025, Basic SKU public IP addresses will be retired in Azure. You can continue to use your existing Basic SKU public IP addresses until then, however, you will no longer be able to create new ones after 31 March 2025.

Standard SKU public IP addresses offer significant improvements, including:

 

• Access to a variety of other Azure products, including Standard Load Balancer, Azure Firewall, and NAT Gateway.
• Security by default—closed to inbound flows unless allowed by a network security group.
• Zone-redundant and zonal front ends for inbound and outbound traffic.

If you have any Basic SKU public IP addresses deployed in Azure Cloud Services (extended support), those deployments will not be affected by this retirement, and you do not need to take any action for them.  Because of the retirement of Basic IP, which Standard and High-Performance SKUs only accept, we will retire these SKUs on 30 September 2025. Starting 1 December 2023, you will no longer be able to create a new gateway with these SKUs.

 

Recommended action: Post December 2024, you will be able to upgrade your Standard/High-Performance gateway SKU to one of the other VPN Gateway SKUs available.

 

If you do not upgrade your gateway by August 2025, your gateway will be automatically upgraded to VPNGw1AZ (Standard) or VPNGw2AZ (High-Performance) after 30 September 2025. 

 

Migration of Azure Virtual Network injected Azure Data Explorer cluster to Private Endpoints

An Azure Virtual Network injected Azure Data Explorer cluster is a cluster that is deployed into a subnet in your Virtual Network (VNet). This enables you to access the cluster privately from your Azure virtual network or on-premises, access resources such as Event Hubs and Azure Storage inside your virtual network and restrict inbound and outbound traffic.

 

Private Endpoint is a network interface that connects your ADX cluster to a private IP address within your VNet. Private endpoints enable you to connect to your ADX cluster using a private IP address within your VNet, without the need for public IP addresses.

 

Microsoft Azure has released a preview feature that allows users to migrate their VNet injected ADX cluster to Private Endpoints with minimal downtime and disruption. This migration is recommended as VNet injection has some limitations and drawbacks, such as increased complexity, reduced scalability, and dependency on public IP addresses.

 

The migration process is simple and can be done using the Azure portal, the ARM template, or any code which uses the ADX SDK 1. For more information on the migration process, prerequisites, and steps to follow, please refer to the detailed documentation article.

 

Resources:

• Azure Data Explorer documentation
• Migrate a Virtual Network injected cluster to private endpoints (Preview)
• Microsoft Azure Data Fundamentals: Explore relational data in Azure
• Data analysis in Azure Data Explorer with Kusto Query Language
• Create dashboards in Azure Data Explorer

Security Update for Azure Front Door and Application Gateway WAF

Front Door and Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and exploits.

Azure-managed rule sets provide an easy way to deploy protection against a common set of security threats. Since such rule sets are managed by Azure, the rules are updated as needed to protect against new attack signatures.

 

Default rule set also includes the Microsoft Threat Intelligence Collection rules that are written in partnership with the Microsoft Intelligence team to provide increased coverage, patches for specific vulnerabilities, and better false positive reduction.

Customers also have the option of using rules that are defined based on the OWASP (Open Worldwide Application Security Project (OWASP) core rule sets 3.2, 3.1, 3.0, or 2.2.9.

 

At the end of December, we updated our Default Rule Set (DRS) and OWASP has updated the Core Rule Set (CRS) to address the security vulnerability CVE-2023-50164.  (An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution)

Prohibiting Domain Fronting with Azure Front Door and Azure CDN Standard from Microsoft

Domain fronting is a network technique that enables an attacker to conceal the actual destination of a request by sending traffic to a different domain in HTTP host header than the one used in the TLS/SSL handshake.

 

Azure Front Door and Azure CDN Standard from Microsoft (classic) protects against domain fronting occurring on domains hosted across different Azure subscriptions. The Server Name Indication (SNI) in TLS/SSL handshake and HTTP host header, whether they are the same or different, must be configured under the same Azure subscription.

 

Starting from January 22, 2024, all existing Azure Front Door and Azure CDN Standard from Microsoft (classic) resources will block any HTTP request that exhibits domain fronting behavior. The enforcement of blocking changes may require up to two weeks to propagate on the global PoPs (point of presences) starting from January 22, 2024.

 

To help identify if an Azure Front Door or Azure CDN from Microsoft (classic) resources display domain fronting behavior, two new log fields will be available on December 25, 2023.

 

Resources:

• Prohibiting Domain Fronting with Azure Front Door and Azure CDN
• Azure Networking Blog - Microsoft Community Hub.

Simplified management of Listeners TLS certificates

If you use Application Gateway, you know that terminating TLS (HTTP traffic) can be done on the Gateway to take the burden off the backend resources. Given you many have a large number of backend resources with difference hostnames (FQDNs), this can be challenging to manage. Traditionally, this could only be done with Azure PowerShell or Azure CLI.

 

Now you can manage all your TLS certificates for APP Gateway through the Azure portal:

 

Key Features include:

• Quick listing
• Certificate information
• Bulk Operations

Resources:

• Simplified management of Listeners TLS certificates

Public preview: Private subnet

Now customers will be able to create custom private subnets in Azure for their resources.

 

Currently, when virtual machines are created in a virtual network without any explicit outbound connectivity, they are assigned a default outbound public IP address.  These implicit IPs are subject to change, not associated with a subscription, difficult to troubleshoot, and do not follow Azure's model of "secure by default" which ensures customers have strong security without additional steps needed.  (The depreciation for this type of implicit connectivity was recently announced and is scheduled for September 2025.)

 

The private subnet feature will let you prevent this insecure implicit connectivity for any newly created subnets by setting the "default outbound access" parameter to false.  You can then pick your preferred method for explicit outbound connectivity to the internet.

 

How to implement and turn off default outbound?

 

• Utilize Private Subnet parameter
• Add the Private subnet feature at creation
• Add an explicit outbound connectivity method
• NAT Gateway
• Standard LB
• Standar Public IP
• Use Flexible orchestration mode for Virtual Machine Scale sets

 

Resources:

• Default outbound access in Azure
• How can I transition to an explicit method of public connectivity (and disable default outbound acce...

 

That’s it for this month.   Happy 2024!  (it's January...  I can still say that.  Right?!?)

 

Cheers

 

Pierre