Merge pull request #273588 from halkazwini/fd-data

AFD sensitive data protection

Author: v-dirichards

articles/frontdoor/TOC.yml

@@ -154,6 +154,8 @@
           href: front-door-url-rewrite.md?pivots=front-door-standard-premium
         - name: URL redirect
           href: front-door-url-redirect.md?pivots=front-door-standard-premium
+      - name: Sensitive data protection
+        href: standard-premium/sensitive-data-protection.md
       - name: Understand billing
         href: billing.md
       - name: Price comparison between tiers
@@ -290,6 +292,8 @@
             href: standard-premium/how-to-cache-purge-powershell.md
           - name: Azure CLI
             href: standard-premium/how-to-cache-purge-cli.md
+        - name: Protect sensitive data
+          href: standard-premium/how-to-protect-sensitive-data.md
         - name: Compression
           href: standard-premium/how-to-compression.md
         - name: Blue/Green deployment with Front Door

articles/frontdoor/media/how-to-protect-sensitive-data/log-scrubbing-disabled.png

@@ -0,0 +1,48 @@
+---
+title: Protect sensitive data in Azure Front Door logs
+description: Learn how to protect sensitive data in Azure Front Door logs by using the log scrubbing tool.
+author: halkazwini
+ms.author: halkazwini
+ms.service: frontdoor
+ms.topic: how-to #Required; leave this attribute/value as-is.
+ms.date: 04/30/2024
+
+#CustomerIntent: As an Azure administrator, I want to use the log scrubbing tool so that I can protect sensitive data in Azure Front Door logs.
+---
+
+# Protect sensitive data in Azure Front Door logs
+
+In this article, you learn how to use the log scrubbing tool to protect sensitive data in Azure Front Door logs. For more information about sensitive data protection in Azure Front Door, see [Azure Front Door sensitive data protection](sensitive-data-protection.md).
+
+## Prerequisites
+
+Before you can use the log scrubbing tool, you must have an Azure Front Door Standard or Premium tier profile. For more information, see [Create an Azure Front Door profile](../create-front-door-portal.md).
+
+## Enable log scrubbing to protect sensitive data
+
+
+1. Go to the Azure Front Door Standard or Premium profile.
+
+1. Under **Settings**, select **Configuration**. 
+
+1. Under **Scrub sensitive data from access logs**, select **Manage log scrubbing**. 
+
+   :::image type="content" source="../media/how-to-protect-sensitive-data/log-scrubbing-disabled.png" alt-text="Screenshot that shows log scrubbing is disabled.":::
+
+1. In **Manage log scrubbing**, select **Enable access log scrubbing** to enable scrubbing. 
+
+1. Select the log fields that you want to scrub, then select **Save**.
+
+   :::image type="content" source="../media/how-to-protect-sensitive-data/manage-log-scrubbing.png" alt-text="Screenshot that shows log scrubbing fields.":::
+
+1. In the **Configuration** page, you can now see that log scrubbing became **Enabled**.
+
+   :::image type="content" source="../media/how-to-protect-sensitive-data/log-scrubbing-enabled.png" alt-text="Screenshot that shows log scrubbing is enabled.":::
+
+To verify your sensitive data protection rules, open the Azure Front Door log and search for `****` in place of the sensitive fields.
+
+## Related content
+
+- [Learn about Azure Front Door sensitive data protection](../create-front-door-portal.md).
+- [Learn how to create an Azure Front Door profile](sensitive-data-protection.md).
+- [Learn how to migrate Azure Front Door (classic) to Standard/Premium tier](../migrate-tier.md).

articles/frontdoor/media/how-to-protect-sensitive-data/log-scrubbing-enabled.png

@@ -0,0 +1,39 @@
+---
+title: Azure Front Door sensitive data protection
+description: Learn about sensitive data protection for logs in Azure Front Door.
+author: halkazwini
+ms.author: halkazwini
+ms.service: frontdoor
+ms.topic: concept-article #Required; leave this attribute/value as-is.
+ms.date: 04/30/2024
+
+#CustomerIntent: As an Azure administrator, I want to learn about Azure Front Door scrubbing tool so that I can use it to protect sensitive data in Azure Front Door. logs.
+---
+
+# Azure Front Door sensitive data protection
+
+The Azure Front Door log scrubbing tool helps you remove sensitive data (for example, personal identifiable information) from your Azure Front Door logs. It works by enabling log scrubbing at Azure Front Door Standard or Premium profile level and selecting the log fields to be scrubbed. Once enabled, the tool scrubs that information from your logs generated under this profile and replaces it with `****`. 
+
+Log scrubbing is only supported on Azure Front Door Standard and Premium. If you're using Azure Front Door classic, migrate to Azure Front Door standard or premium to use log scrubbing. For more information, see [About Azure Front Door (classic) to Standard/Premium tier migration](..\tier-migration.md).
+
+## Default log behavior
+
+When Azure Front Door serves a request, Azure Front Door logs the details of the request in clear text. Sensitive data might be included in the request URI (such as passwords), and client IP and socket IP are logged. This data is viewable by anyone with access to the Azure Front Door access logs. To protect customer data, you can set up log scrubbing rules targeting this sensitive data for protection.
+
+## Scrubbing fields
+
+The following fields can be scrubbed from the logs:
+
+| Information | Description | Samples after enablement |
+| --- | --- | --- |
+| Request URI | RequestUri, OriginUrl | `****` |
+| Request IP address | ClientIp, SocketIp | `****` |
+| Query string | Querystring in RequestUri and OriginUrl  | `https://contoso.com/bar/temp.txt?20240423&q=****&foo=****` |
+
+> [!NOTE]
+> When you enable log scrubbing feature, Microsoft still retains IP addresses in its internal logs to support critical security features.
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [Protect sensitive data in Azure Front Door logs](how-to-protect-sensitive-data.md)