How to limit Azure Front Door Cipher Suites Manually?

Question

Hi,

Right now there is a preview feature for Min TLS Cipher Suite on app Services and I know that we have a premium feature for End-to-end TLS with Azure Front Door.

We are using Azure Front Door for our Static Website and we have the Premium tier selected.

There is an issue with one of our Pen Tests which we need to limit the Front Door Cipher suites even more.

When we set the TLS to 1.2 we still have the Cipher Suites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 & TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 in the list which based on our PenTest Results, they should be removed since they considered medium Security level.

Is there any possibility for a feature to have same functionality of Min TLS on AppServices in Azure Front Door?

Any API Calls or Cli configuration would also be fine for us, as far as the possiblity to select the minimum Cipher Suites manually for Azure Front Door.

Or is there any CDN possiblity in Azure which we can use to give us the flexibility to select the Cipher suites?

Best,

Aidin Azimi

AppsFactory GmbH

Answer 1

@Aidin Azimi , @James Tewes Admin

Thank you for reaching out and apologies for the delay here.

Currently disabling specific ciphers is not supported for Azure Front Door. The team is actively working on this feature, and it will be rolled out soon. The current target is to release this as preview feature by 4th quarter 2023. I will update this thread if there is any change in the timeline.

Hope this helps! Please let me know if you have any additional questions.

Thank you!

---

​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Any update on this feature? 2023 has now past and we are in the same position of having pen tests flag weak ciphers which we must remediate. Thanks.

Answer 3

Hello Aidin Azimi,

Currently, Azure Front Door does not provide a built-in feature to manually limit the cipher suites. However, you can achieve this by using Azure Application Gateway in combination with Azure Front Door.

Here's an approach you can follow:

Set up Azure Application Gateway: Deploy an Azure Application Gateway in front of your Azure Front Door. Azure Application Gateway provides more granular control over the cipher suites and TLS settings.

Configure Cipher Suites on Azure Application Gateway: Configure the cipher suites on the Azure Application Gateway to include only the desired ones, excluding TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384. You can use the PowerShell or Azure CLI to configure the Application Gateway with the desired cipher suites.

Route Traffic to Azure Front Door: Configure the Azure Application Gateway to route the traffic to your Azure Front Door backend. This way, all incoming requests will pass through the Application Gateway before reaching Azure Front Door.

By using this setup, you can have more control over the cipher suites and TLS settings by configuring them on the Azure Application Gateway. This gives you the flexibility to limit the cipher suites based on your specific security requirements.

Alternatively, if you are looking for CDN options in Azure, you can consider using Azure CDN. Azure CDN also provides features like TLS termination and allows you to configure the supported cipher suites. You can configure Azure CDN to front your static website and apply the desired cipher suite settings.

Please note that both Azure Application Gateway and Azure CDN have their own pricing and considerations. Evaluate and choose the option that best fits your requirements and budget.

I hope this information helps you in achieving your desired cipher suite configuration for Azure Front Door. If you have any further questions, feel free to ask!

Answer 4

• It is the end of March 2024, and the solution for TLS Ciphers has NOT been seen. Makes me wonder if we need to look to move away from Front Door.