Azure Front Door SSL offload Isolated?

Jayson Truong 21 Reputation points
2020-11-05T03:09:25.733+00:00

When using Azure Front Door SSL offload, it should take the SSL encryption / decryption load off my backend pool servers.

Since the traffic going from Azure Front Door to my backend pool servers will be using HTTP which is NOT encrypted, is there a chance that somebody observe or snoop the traffic?

I am asking this in the context of PCI compliance.

Thanks in advance.

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
582 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. MichaelSchroeder 26 Reputation points
    2021-06-29T19:04:52.773+00:00

    Wow, you asked such a straight-forward question. Too bad nobody gave a straight-forward answer. Hopefully you figured this out already, but I'm adding an answer for anybody who comes behind.

    You are correct that if you use SSL offloading, traffic between Front Door and the back-end site will not be encrypted. You are also correct to suspect this is not PCI compliant. IF a bad actor manages to get into the "public side" Azure backbone, they will have direct access to information being transmitted. This backbone, while secure, is public by definition -- thus can not be "secure enough" for unencrypted PCI protected data. Further, Microsoft employees with sufficient admin privilege will be able to access the information. Not saying they would (and I'm sure they wouldn't), but a zero trust model dictates we consider them a threat. You have no audit trail available if a Microsoft employee does access the information even for legitimate purposes, such as back-end network troubleshooting. Again, a potential problem for PCI compliance.

    Based on my understanding of PCI, if you use the SSL offload feature of Front Door, your site will not be PCI compliant.

    From a security perspective, putting aside the compliance question, sensitive information should be encrypted end-to-end.

    2 people found this answer helpful.
    0 comments
  2. Sumarigo-MSFT 43,806 Reputation points Microsoft Employee
    2020-11-05T17:09:20.013+00:00

    @Jayson Truong Thanks for raising this good question. Our security fundamentals doc covers a lot of this query, please refer to the below mentioned articles:
    Double encryption is where two or more independent layers of encryption are enabled to protect against compromises of any one layer of encryption. Using two layers of encryption mitigates threats that come with encrypting data. : https://learn.microsoft.com/en-us/azure/security/fundamentals/double-encryption
    The Azure network architecture provides connectivity from the Internet to the Azure datacenters. Any workload deployed (IaaS, PaaS, and SaaS) on Azure is leveraging the Azure datacenter network. : https://learn.microsoft.com/en-us/azure/security/fundamentals/infrastructure-network

    Kindly let us know if the above helps or you need further assistance on this issue.

    --------------------------------------------------------------------------------------------------------

    Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  3. Jayson Truong 21 Reputation points
    2020-11-06T10:43:35.267+00:00

    Thank you for including the two articles.

    Just so I am clear, the end user (website visitor in my case), uses HTTPS (SSL) which is terminated at Azure Front Door. Azure Front Door figures out where to route the traffic and re-encrypts it at infrastructure layer and de-decrypts it when it hits my virtual machine. If I terminate the HTTPS (SSL) at my virtual machine, it would be double encrypted. Since I want to use Azure Front Door SSL-Offloading take the load off my virtual machine, my virtual machine will be communicating with Azure Front Door backend over HTTP (unencrypted), the data is still protected by the infrastructure layer encryption until it gets to my virtual machine.

    Does that sound right to you?

    The question is, is the infrastructure layer encryption strong enough to meet PCI compliance requirements?

    Thanks in advance.

  4. Tahir Kiani 1 Reputation point Microsoft Employee
    2021-02-15T18:40:45.787+00:00

    As you know that when you do the SSL Offloading on any device; in this case it is AFD (Azure Front Door), then traffic is no more under the protection of SSL and is more like plain-text. To move the traffic from AFD to backend pool which in this case is AppGateway (when you have SSL-Offloading configured in AFD), then it means you are moving traffic un-protected. Microsoft protects this traffic as well, please see this link - https://learn.microsoft.com/en-us/azure/security/fundamentals/double-encryption#data-in-transit . For your extra layer of security, you should integrate AFD with Application Gateway with end-to-end SSL encryption.

    NOTE - Azure Front Door is a globally distributed multi-tenant service. So, the infrastructure for Front Door is shared across all its customers. For more details, see this link https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq.

    INFO - For data in-transit b/w cloud services and you or whenever Azure Customer traffic moves between datacenters, the packets are encrypted and decrypted on the devices before being sent, preventing physical “man-in-the-middle” or snooping/wiretapping attacks. Because this technology is integrated on the network hardware itself, it provides line rate encryption on the network hardware with no measurable link latency increase. For more information about it, please visit this link https://learn.microsoft.com/en-us/azure/security/fundamentals/double-encryption#data-in-transit

    If you have a security sensitive environment, then you should do all the required security check to fulfill security industry compliance before implementing your deployment into production.

    0 comments