Azure Networking is the foundation of your infrastructure in Azure. Each month we bring you an update on What's new in Azure Networking.
In this blog post, we'll cover what's new with Azure Networking in September 2023. In this blog post, we will cover the following announcements and how they can help you.
- Gateway Load Balancer IPv6 Support
- Sensitive Data Protection for Application Gateway Web Application Firewall
- Domain fronting update on Azure Front Door and Azure CDN
- New Monitoring and Logging Updates in Azure Firewall
The Azure Gateway Load Balancer now supports IPv6 traffic, enabling you to distribute IPv6 traffic through Gateway Load Balancer before it reaches your dual-stack applications. Gateway Load Balancer allows you to easily deploy, scale, and manage Network Virtual Appliances (NVAs).
You can insert appliances transparently for different kinds of scenarios such as:
- Advanced packet analytics
- Intrusion detection and prevention systems
- Traffic mirroring
- DDoS protection
- Custom appliances
With this support, you can now add IPv6 frontend IP addresses and backend pools to Gateway Load Balancer. This allows you to inspect, protect, or mirror both IPv4 and IPv6 traffic flows using third-party or custom network virtual appliances (NVAs).
Both internet inbound and outbound IPv6 traffic flows can now be routed through Gateway Load Balancer.
Normally, when a WAF rule is triggered, the WAF logs the details of the request in clear text. If the portion of the request triggering the WAF rule contains sensitive data (such as customer passwords or IP addresses), that sensitive data is viewable by anyone with access to the WAF logs.
To protect customer data, you can set up Log Scrubbing rules targeting this sensitive data for protection.
The Web Application Firewall's (WAF's) Log Scrubbing tool helps you remove sensitive data from your WAF logs. It works by using a rules engine that allows you to build custom rules to identify specific portions of a request that contain sensitive data. Once identified, the tool scrubs that information from your logs and replaces it with *******.
Sensitive data protection using log scrubbing supports the creation of rules using the following variables:
- Request Header Names
- Request Cookie Names
- Request Arg Names
- Request Post Arg Names
- Request JSON Arg Names
- Request IP Address
Domain fronting update on Azure Front Door and Azure CDN
As part of Microsoft's commitment to secure our approach to domain fronting within Azure, Azure Front Door (including classic) and Azure CDN Standard from Microsoft (classic) have blocked domain fronting for newly created resources since November 2022.
Domain fronting is a technique that allows an attacker to hide the true destination of a malicious request by using a different domain name in the TLS handshake and the HTTP host header. Once domain fronting gets blocked, Azure Front Door and Azure CDN Standard from Microsoft (classic) resources block any HTTP/HTTPS requests that exhibit this behavior.
Based on customer feedback and security considerations, Azure Front Door and Azure CDN Standard have revised the domain fronting blocking restrictions.
- Starting from September 25, 2023:
- We have updated the domain fronting blocking restrictions based on feedback from customers. Instead of blocking a request when the SNI and host headers don't match, we allow the mismatch as long as the two domains are added to the same subscription. You can use multiple domains for your applications without affecting the functionality, which Azure Front Door enables.
- Starting from November 8, 2023:
- We'll enforce domain fronting blocking on all existing domains.
New Monitoring and Logging Updates in Azure Firewall
New logging format that provides a more detailed view of firewall events. Azure Firewall's structured logs provide a more detailed view of firewall events. They include information such as source and destination IP addresses, protocols, port numbers, and action taken by the firewall. They also include more metadata, such as the time of the event and the name of the Azure Firewall instance.
Currently, the following diagnostic log categories are available for Azure Firewall:
- Application rule log
- Network rule log
- DNS proxy log
With structured logs, you're able to choose to use Resource Specific Tables instead of the existing AzureDiagnostics table. In case both sets of logs are required, at least two diagnostic settings need to be created per firewall.
Structured Logs are easier to work with data in log queries and help discover schemas; they improve performance and reduce latency and they allow ability to grant Azure RBAC rights on specific tables.
Latency Probe metric is designed to measure the overall latency of Azure Firewall and provide insight into the health of the service.
That's it fop this month.