|
| 1 | +--- |
| 2 | +title: 'End-to-end TLS with Azure Front Door' |
| 3 | +description: Learn about end-to-end TLS encryption when using Azure Front Door. |
| 4 | +services: frontdoor |
| 5 | +author: duongau |
| 6 | +ms.service: frontdoor |
| 7 | +ms.topic: article |
| 8 | +ms.workload: infrastructure-services |
| 9 | +ms.date: 11/02/2021 |
| 10 | +ms.author: duau |
| 11 | +--- |
| 12 | + |
| 13 | +# End-to-end TLS with Azure Front Door |
| 14 | + |
| 15 | +Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and the web browser remain private and encrypted. |
| 16 | + |
| 17 | +To meet your security or compliance requirements, Azure Front Door (AFD) supports end-to-end TLS encryption. Front Door TLS/SSL offload terminates the TLS connection, decrypts the traffic at the Azure Front Door, and re-encrypts the traffic before forwarding it to the backend. Since connections to the backend happen over the public IP. It's highly recommended you configure HTTPS as the forwarding protocol on your Azure Front Door to enforce end-to-end TLS encryption from the client to the backend. |
| 18 | + |
| 19 | +## End-to-end TLS encryption |
| 20 | + |
| 21 | +End-to-end TLS allows you to secure sensitive data while in transit to the backend while benefiting from Azure Front Door features like global load balancing and caching. Some of the features also include URL-based routing, TCP split, caching on edge location closest to the clients, and customizing HTTP requests at the edge. |
| 22 | + |
| 23 | +Azure Front Door offloads the TLS sessions at the edge and decrypts client requests. It then applies the configured routing rules to route the requests to the appropriate backend in the backend pool. Azure Front Door then starts a new TLS connection to the backend and re-encrypts all data using the backend’s certificate before transmitting the request to the backend. Any response from the backend is encrypted through the same process back to the end user. You can configure your Azure Front Door to use HTTPS as the forwarding protocol to enable end-to-end TLS. |
| 24 | + |
| 25 | +## Supported TLS versions |
| 26 | + |
| 27 | +Azure Front Door supports three versions of the TLS protocol: TLS versions 1.0, 1.1, and 1.2. All Azure Front Door profiles created after September 2019 use TLS 1.2 as the default minimum, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. |
| 28 | + |
| 29 | +Although Azure Front Door supports TLS 1.2, which introduced client/mutual authentication in RFC 5246, currently, Azure Front Door doesn't support client/mutual authentication. |
| 30 | + |
| 31 | +You can configure the minimum TLS version in Azure Front Door in the custom domain HTTPS settings using the Azure portal or the [Azure REST API](/rest/api/frontdoorservice/frontdoor/frontdoors/createorupdate#minimumtlsversion). Currently, you can choose between 1.0 and 1.2. As such, specifying TLS 1.2 as the minimum version controls the minimum acceptable TLS version Azure Front Door will accept from a client. When Azure Front Door initiates TLS traffic to the backend, it will attempt to negotiate the best TLS version that the backend can reliably and consistently accept. |
| 32 | + |
| 33 | +## Supported certificates |
| 34 | + |
| 35 | +When you create your TLS/SSL certificate, you must create a complete certificate chain with an allowed Certificate Authority (CA) that is part of the [Microsoft Trusted CA List](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT). If you use a non-allowed CA, your request will be rejected. |
| 36 | + |
| 37 | +Certificates from internal CAs or self-signed certificates aren't allowed. |
| 38 | + |
| 39 | +## Online Certificate Status Protocol (OCSP) stapling |
| 40 | + |
| 41 | +OSCP stapling is supported by default in Azure Front Door and no configuration is required. |
| 42 | + |
| 43 | +## Backend TLS connection (Azure Front Door to backend) |
| 44 | + |
| 45 | +For HTTPS connections, Azure Front Door expects that your backend presents a certificate from a valid Certificate Authority (CA) with subject name(s) matching the backend *hostname*. As an example, if your backend hostname is set to `myapp-centralus.contosonews.net` and the certificate that your backend presents during the TLS handshake doesn't have `myapp-centralus.contosonews.net` or `*.contosonews.net` in the subject name, then Azure Front Door will refuse the connection and as a result an error. |
| 46 | + |
| 47 | +> [!NOTE] |
| 48 | +> The certificate must have a complete certificate chain with leaf and intermediate certificates. The root CA must be part of the [Microsoft Trusted CA List](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT). If a certificate without complete chain is presented, the requests which involve that certificate are not guaranteed to work as expected. |
| 49 | +
|
| 50 | +From a security standpoint, Microsoft doesn't recommend disabling certificate subject name check. In certain use cases such as for testing, for example, your origin must use a self-signed certificate. As a work-around to resolve failing HTTPS connection, can you disable certificate subject name check for your Azure Front Door. The option to disable is present under the Azure Front Door settings in the Azure portal and on the BackendPoolsSettings in the Azure Front Door API. |
| 51 | + |
| 52 | +To enable the HTTPS protocol for secure delivery of contents on an Azure Front Door custom domain, you can choose to use a certificate that is managed by Azure Front Door or use your own certificate. |
| 53 | + |
| 54 | +* Azure Front Door managed certificate provides a standard TLS/SSL certificate via DigiCert and is stored in Azure Front Door's Key Vault. |
| 55 | + |
| 56 | +* If you choose to use your own certificate, you can onboard a certificate from a supported CA that can be a standard TLS, extended validation certificate, or even a wildcard certificate. |
| 57 | + |
| 58 | +* Self-signed certificates aren't supported. Learn [how to enable HTTPS for a custom domain](front-door-custom-domain-https.md). |
| 59 | + |
| 60 | +For Azure Front Door managed certificates, the certificates are managed and autorotate within 90 days of expiry time by Azure Front Door. If you're using an Azure Front Door managed certificate and see that the certificate expiry date is less than 60 days away, file a support ticket. |
| 61 | + |
| 62 | +For your own custom TLS/SSL certificate: |
| 63 | + |
| 64 | +1. You set the secret version to 'Latest' for the certificate to be automatically rotated to the latest version when a newer version of the certificate is available in your key vault. For custom certificates, the certificate gets autorotated within 1-2 days with a newer version of certificate, no matter what the certificate expired time is. |
| 65 | + |
| 66 | +1. If a specific version is selected, autorotation isn’t supported. You've will have to reselect the new version manually to rotate certificate. It takes up to 24 hours for the new version of the certificate/secret to be deployed. |
| 67 | + |
| 68 | + You'll need to ensure that the service principal for Front Door has access to the key vault. Refer to how to grant access to your key vault. The updated certificate rollout operation by Azure Front Door won't cause any production down time provided the subject name or subject alternate name (SAN) for the certificate didn't changed. |
| 69 | + |
| 70 | +## Supported cipher suites |
| 71 | + |
| 72 | +### For TLS1.2 the following cipher suites are supported: |
| 73 | + |
| 74 | +* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| 75 | +* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| 76 | +* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| 77 | +* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| 78 | + |
| 79 | +> [!NOTE] |
| 80 | +> For Windows 10 and later versions, we recommend enabling one or both of the ECDHE cipher suites for better security. Windows 8.1, 8, and 7 aren't compatible with these ECDHE cipher suites. The DHE cipher suites have been provided for compatibility with those operating systems. |
| 81 | +
|
| 82 | +### Using custom domains with TLS1.0/1.1 enabled the following cipher suites are supported: |
| 83 | + |
| 84 | +* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
| 85 | +* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
| 86 | +* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| 87 | +* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| 88 | +* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
| 89 | +* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
| 90 | +* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| 91 | +* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
| 92 | +* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
| 93 | +* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
| 94 | +* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
| 95 | +* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
| 96 | +* TLS_RSA_WITH_AES_256_GCM_SHA384 |
| 97 | +* TLS_RSA_WITH_AES_128_GCM_SHA256 |
| 98 | +* TLS_RSA_WITH_AES_256_CBC_SHA256 |
| 99 | +* TLS_RSA_WITH_AES_128_CBC_SHA256 |
| 100 | +* TLS_RSA_WITH_AES_256_CBC_SHA |
| 101 | +* TLS_RSA_WITH_AES_128_CBC_SHA |
| 102 | +* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| 103 | +* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| 104 | + |
| 105 | +## Next steps |
| 106 | + |
| 107 | +* [Configure a custom domain](front-door-custom-domain.md) for Azure Front Door. |
| 108 | +* [Enable HTTPS for a custom domain](front-door-custom-domain-https.md). |
0 commit comments