question

JaysonTruong-2030 avatar image
0 Votes"
JaysonTruong-2030 asked awrowse commented

Azure Front Door SSL offload Isolated?

When using Azure Front Door SSL offload, it should take the SSL encryption / decryption load off my backend pool servers.

Since the traffic going from Azure Front Door to my backend pool servers will be using HTTP which is NOT encrypted, is there a chance that somebody observe or snoop the traffic?

I am asking this in the context of PCI compliance.

Thanks in advance.

azure-front-door
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SumanthMarigowda-MSFT avatar image
0 Votes"
SumanthMarigowda-MSFT answered SumanthMarigowda-MSFT edited

@JaysonTruong-2030 Thanks for raising this good question. Our security fundamentals doc covers a lot of this query, please refer to the below mentioned articles:
Double encryption is where two or more independent layers of encryption are enabled to protect against compromises of any one layer of encryption. Using two layers of encryption mitigates threats that come with encrypting data. : https://docs.microsoft.com/en-us/azure/security/fundamentals/double-encryption
The Azure network architecture provides connectivity from the Internet to the Azure datacenters. Any workload deployed (IaaS, PaaS, and SaaS) on Azure is leveraging the Azure datacenter network. : https://docs.microsoft.com/en-us/azure/security/fundamentals/infrastructure-network

Kindly let us know if the above helps or you need further assistance on this issue.


Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JaysonTruong-2030 avatar image
0 Votes"
JaysonTruong-2030 answered TahirKiani-1378 commented

Thank you for including the two articles.

Just so I am clear, the end user (website visitor in my case), uses HTTPS (SSL) which is terminated at Azure Front Door. Azure Front Door figures out where to route the traffic and re-encrypts it at infrastructure layer and de-decrypts it when it hits my virtual machine. If I terminate the HTTPS (SSL) at my virtual machine, it would be double encrypted. Since I want to use Azure Front Door SSL-Offloading take the load off my virtual machine, my virtual machine will be communicating with Azure Front Door backend over HTTP (unencrypted), the data is still protected by the infrastructure layer encryption until it gets to my virtual machine.

Does that sound right to you?

The question is, is the infrastructure layer encryption strong enough to meet PCI compliance requirements?

Thanks in advance.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You should check with your security compliance team and provide them the details about our infrastructure security so that they can do their check to make sure that their compliance requirements are fulfilled.

0 Votes 0 ·
TahirKiani-1378 avatar image
0 Votes"
TahirKiani-1378 answered TahirKiani-1378 edited

As you know that when you do the SSL Offloading on any device; in this case it is AFD (Azure Front Door), then traffic is no more under the protection of SSL and is more like plain-text. To move the traffic from AFD to backend pool which in this case is AppGateway (when you have SSL-Offloading configured in AFD), then it means you are moving traffic un-protected. Microsoft protects this traffic as well, please see this link - https://docs.microsoft.com/en-us/azure/security/fundamentals/double-encryption#data-in-transit . For your extra layer of security, you should integrate AFD with Application Gateway with end-to-end SSL encryption.


NOTE - Azure Front Door is a globally distributed multi-tenant service. So, the infrastructure for Front Door is shared across all its customers. For more details, see this link https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq.


INFO - For data in-transit b/w cloud services and you or whenever Azure Customer traffic moves between datacenters, the packets are encrypted and decrypted on the devices before being sent, preventing physical “man-in-the-middle” or snooping/wiretapping attacks. Because this technology is integrated on the network hardware itself, it provides line rate encryption on the network hardware with no measurable link latency increase. For more information about it, please visit this link https://docs.microsoft.com/en-us/azure/security/fundamentals/double-encryption#data-in-transit


If you have a security sensitive environment, then you should do all the required security check to fulfill security industry compliance before implementing your deployment into production.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichaelSchroeder avatar image
1 Vote"
MichaelSchroeder answered awrowse commented

Wow, you asked such a straight-forward question. Too bad nobody gave a straight-forward answer. Hopefully you figured this out already, but I'm adding an answer for anybody who comes behind.

You are correct that if you use SSL offloading, traffic between Front Door and the back-end site will not be encrypted. You are also correct to suspect this is not PCI compliant. IF a bad actor manages to get into the "public side" Azure backbone, they will have direct access to information being transmitted. This backbone, while secure, is public by definition -- thus can not be "secure enough" for unencrypted PCI protected data. Further, Microsoft employees with sufficient admin privilege will be able to access the information. Not saying they would (and I'm sure they wouldn't), but a zero trust model dictates we consider them a threat. You have no audit trail available if a Microsoft employee does access the information even for legitimate purposes, such as back-end network troubleshooting. Again, a potential problem for PCI compliance.

Based on my understanding of PCI, if you use the SSL offload feature of Front Door, your site will not be PCI compliant.

From a security perspective, putting aside the compliance question, sensitive information should be encrypted end-to-end.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.