Merge pull request #296398 from halkazwini/afd-cipher

Custom TLS policy - cipher suites

Author: v-dirichards

articles/frontdoor/TOC.yml

@@ -193,6 +193,12 @@
     href: front-door-ddos.md
   - name: End-to-end TLS encryption
     href: end-to-end-tls.md
+  - name: TLS policy
+    items:
+    - name: Overview
+      href: standard-premium/tls-policy.md
+    - name: Configure TLS policy
+      href: standard-premium/tls-policy-configure.md
   - name: Set up managed identity
     href: managed-identity.md
   - name: Sensitive data protection

articles/frontdoor/media/tls-policy-configure/tls-policy-customize.png

@@ -0,0 +1,65 @@
+---
+title: Configure Azure Front Door TLS policy (preview)
+description: Learn how you can configure TLS policy to meet security requirements for your Front Door custom domains.
+author: halkazwini
+ms.author: halkazwini
+ms.service: azure-frontdoor
+ms.topic: how-to
+ms.date: 03/26/2025
+---
+
+# Configure TLS policy on a Front Door custom domain (preview)
+
+> [!IMPORTANT]
+> TLS policy is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+Azure Front Door Standard and Premium offer two mechanisms for controlling TLS policy. You can use either a predefined policy or a custom policy per your own needs. If you use Azure Front Door (classic) and Microsoft CDN (classic), you'll continue to use the minimum TLS 1.2 version.
+
+- Azure Front Door offers several predefined TLS policies. You can configure your AFD with any of these policies to get the appropriate level of security. These predefined policies are configured keeping in mind the best practices and recommendations from the Microsoft Security team. We recommend that you use the newest TLS policies to ensure the best TLS security.
+
+- If a TLS policy needs to be configured for your own business and security requirements, you can use a Custom TLS policy. With a custom TLS policy, you have complete control over the minimum TLS protocol version to support, and the supported cipher suites.
+
+In this article, you learn how to configure TLS policy on a Front Door custom domain.
+
+## Prerequisites
+
+- A Front Door. For more information, see [Quickstart: Create a Front Door using the Azure portal](/azure/frontdoor/quickstart-create-front-door).
+
+- A custom domain. If you don't have a custom domain, you must first purchase one with a domain provider. For more information, see [Buy a custom domain name](/azure/app-service/manage-custom-dns-buy-domain).
+
+- If you're using Azure to host your [DNS domains](/azure/dns/dns-overview), you must delegate the domain provider's domain name system (DNS) to an Azure DNS. For more information, see [Delegate a domain to Azure DNS](/azure/dns/dns-delegate-domain-azure-dns). Otherwise, if you're using a domain provider to handle your DNS domain, see [Create a CNAME DNS record](/azure/frontdoor/front-door-custom-domain).
+
+## Configure TLS policy
+
+1. Go to your Azure Front Door profile that you want to configure the TLS policy for.
+
+1. Under **Settings**, select **Domains** . Then select **+** **Add** to add a new domain.
+
+1. On the **Add a domain** page, follow the instructions in [Configure a custom domain on Azure Front Door](/azure/frontdoor/standard-premium/how-to-add-custom-domain) and [Configure HTTPS on an Azure Front Door custom domain](/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain) to configure the domain.
+
+1. For **TLS policy**, select the predefined policy from the dropdown list or **Custom** to customize the cipher suites per your needs.
+
+    :::image type="content" source="../media/tls-policy-configure/tls-policy.png" alt-text="Screenshot that shows the TLS policy option in Add a domain page." lightbox="../media/tls-policy-configure/tls-policy.png":::
+
+    You can view the supported cipher suites by selecting **View policy details**.
+
+    :::image type="content" source="../media/tls-policy-configure/tls-policy-details.png" alt-text="Screenshot that shows the TLS policy details." lightbox="../media/tls-policy-configure/tls-policy-details.png":::
+
+    When you select **Custom**, you can choose the Minimum TLS version and the corresponding cipher suites by selecting **Select cipher suites**.
+
+    :::image type="content" source="../media/tls-policy-configure/tls-policy-customize.png" alt-text="Screenshot that shows how to customize your TLS policy." lightbox="../media/tls-policy-configure/tls-policy-customize.png":::
+
+    > [!NOTE]
+    > You can reuse the custom TLS policy setting from other domains in the portal by selecting the domain in **Reuse setting from other domain**. 
+
+1. Select **Add** to add the domain.
+
+## Verify TLS policy configurations
+
+View the supported cipher suite of your domain via [www.ssllabs.com/ssltest](https://www.ssllabs.com/ssltest/) or use the sslscan tool.
+
+## Related content
+
+- [Azure Front Door TLS Policy (preview)](tls-policy.md)
+- [Add a custom domain on Azure Front Door](how-to-add-custom-domain.md)
+- [Configure HTTPS for your custom domain on Azure Front Door](how-to-configure-https-custom-domain.md)

articles/frontdoor/media/tls-policy-configure/tls-policy-details.png

@@ -0,0 +1,82 @@
+---
+title: Azure Front Door TLS policy (preview)
+description: Learn how custom TLS policies help you meet security requirements for your Azure Front Door custom domains.
+author: halkazwini
+ms.author: halkazwini
+ms.service: azure-frontdoor
+ms.topic: concept-article
+ms.date: 03/26/2025
+---
+
+# Azure Front Door TLS policy (preview)
+
+> [!IMPORTANT]
+> TLS policy is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+Azure Front Door supports [end-to-end TLS encryption](../end-to-end-tls.md). When you add a custom domain to Azure Front Door, HTTPS is required, and you need to define a TLS policy which includes control of the TLS protocol version and the cipher suites during a TLS handshake. 
+
+Azure Front Door supports two versions of the TLS protocol: TLS versions 1.2 and 1.3. Currently, Azure Front Door doesn't support client/mutual authentication (mTLS).
+
+> [!NOTE]
+> As of March 1, 2025, TLS 1.0 and 1.1 are disallowed on Azure Front Door. If you didn't disable TLS 1.0 and 1.1 on legacy settings before this date, they'll still work temporarily but will be disabled in April 2025.
+
+Azure Front Door Standard and Premium offer two mechanisms for controlling TLS policy. You can use either a predefined policy or a custom policy per your own needs. If you use Azure Front Door (classic) and Microsoft CDN (classic), you'll continue to use the minimum TLS 1.2 version.
+
+- Azure Front Door offers several predefined TLS policies. You can configure your AFD with any of these policies to get the appropriate level of security. These predefined policies are configured keeping in mind the best practices and recommendations from the Microsoft Security team. We recommend that you use the newest TLS policies to ensure the best TLS security.
+- If a TLS policy needs to be configured for your own business and security requirements, you can use a Custom TLS policy. With a custom TLS policy, you have complete control over the minimum TLS protocol version to support, and the supported cipher suites.
+
+For a minimum TLS version 1.2, the negotiation will attempt to establish TLS 1.3 and then TLS 1.2. The client must support at least one of the supported ciphers to establish an HTTPS connection with Azure Front Door. Azure Front Door chooses a cipher in the listed order from the client-supported ciphers.
+
+When Azure Front Door initiates TLS traffic to the origin, it will attempt to negotiate the best TLS version that the origin can reliably and consistently accept. Supported TLS versions for origin connections are TLS 1.2, and TLS 1.3. 
+
+> [!NOTE]
+> Clients with TLS 1.3 enabled are required to support one of the Microsoft SDL compliant EC Curves, including Secp384r1, Secp256r1, and Secp521, in order to successfully make requests with Azure Front Door using TLS 1.3. It's recommended that clients use one of these curves as their preferred curve during requests to avoid increased TLS handshake latency, which may result from multiple round trips to negotiate the supported EC curve.
+
+## Predefined TLS policy
+
+Azure Front Door offers several predefined TLS policies. You can configure your AFD with any of these policies to get the appropriate level of security. The policy names are annotated by the minimum TLS versions and the year in which they were configured (TLSv1.2_2023>). Each policy offers different TLS protocol versions and/or cipher suites. These predefined policies are configured keeping in mind the best practices and recommendations from the Microsoft Security team. We recommend that you use the newest TLS policies to ensure the best TLS security.
+
+The following table shows the list of cipher suites and minimum protocol version support for each predefined policy. The ordering of the cipher suites determines the priority order during TLS negotiation.
+
+By default, TLSv1.2_2023 will be selected. TLSv1.2_2022 maps to the minimum TLS 1.2 version in previous design. Some might see a read-only TLSv1.0/1.1_2019 which maps to the minimum TLS 1.0/1.1 version in previous design, because they don't specifically switch to minimum TLS 1.2 version. The TLSv1.0/1.1_2019 policy for such will be removed and disabled in April 2025.
+
+| **OpenSSL** | **Cipher** **Suite** | **TLSv1.2_2023** | **TLSv1.2_2022** |
+|---|---|---|---|
+| **Minimum Protocol version** | | **1.2** | **1.2** |
+| **Supported Protocols** | | **1.3/1.2** | **1.3./1.2** |
+| **TLS_AES_256_GCM_SHA384** | TLS_AES_256_GCM_SHA384 | Yes | Yes |
+| **TLS_AES_128_GCM_SHA256** | TLS_AES_128_GCM_SHA256 | Yes | Yes |
+| **ECDHE-RSA-AES256-GCM-SHA384** | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | Yes | Yes |
+| **ECDHE-RSA-AES128-GCM-SHA256** | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | Yes | Yes | 
+| **DHE-RSA-AES256-GCM-SHA384** | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | | Yes | 
+| **DHE-RSA-AES128-GCM-SHA256** | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | | Yes | 
+| **ECDHE-RSA-AES256-SHA384** | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | | Yes | 
+| **ECDHE-RSA-AES128-SHA256** | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | | Yes | 
+
+## Custom TLS policy
+
+If a TLS policy needs to be configured for your requirements, you can use a Custom TLS policy. With a custom TLS policy, you have complete control over the minimum TLS protocol version to support, and the supported cipher suites and their priority order. 
+
+> [!NOTE]
+> TLS 1.3 is always enabled no matter what minimum version is enabled.
+
+### Cipher suites
+
+Azure Front Door supports the following cipher suites from which you can choose your custom policy. The ordering of the cipher suites determines the priority order during TLS negotiation.
+
+- TLS_AES_256_GCM_SHA384 (TLS 1.3 only)
+- TLS_AES_128_GCM_SHA256 (TLS 1.3 only)
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+
+> [!NOTE]
+> For Windows 10 and later versions, we recommend enabling one or both of the ECDHE_GCM cipher suites for better security. Windows 8.1, 8, and 7 aren't compatible with these ECDHE_GCM cipher suites. The ECDHE_CBC and DHE cipher suites have been provided for compatibility with those operating systems.
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [Configure TLS policy on Front Door](tls-policy-configure.md)