Microsoft has announced an urgent update to the distribution of .NET installers and archives, citing the impending shutdown of its CDN provider, Edgio, due to bankruptcy. The shift involves transitioning key .NET delivery domains, potentially impacting developers, CI/CD pipelines and production environments relying on specific URLs. Microsoft advises users to check for dependencies on old domains to avoid downtime or, more critically, supply chain vulnerabilities.
Edgio, which managed several Microsoft-hosted domains ending in azureedge.net, is ceasing operations. The affected domains include:
- dotnetcli.azureedge.net
- dotnetbuilds.azureedge.net
These domains have been used to distribute official, and CI .NET builds. The move to new CDNs, builds.dotnet.microsoft.com and ci.dot.net, ensures continued access to .NET resources while improving security, reliability, and performance. However, organizations relying on the old domains must update their configurations to avoid disruptions or potential security risks.
Supply chain risk and impact
The migration raises a significant cybersecurity concern. If the soon-to-be-retired azureedge.net domains are hijacked after deprecation, malicious actors could exploit them for supply chain attacks. Such attacks could distribute tampered .NET installers, compromising CI pipelines or production systems. Microsoft's assurance that “no other party will ever have access to use these domains” mitigates some concerns, but developers must act swiftly to update URLs and scripts.
The changes primarily affect organizations and developers, who depend on the retiring domains. Specific scenarios include:
- Enterprises with custom installation scripts or Dockerfiles referencing azureedge.net.
- Teams using GitHub Actions, Azure DevOps, or Azure DevOps Server for automated .NET builds.
- Environments with strict firewall rules may require adjustments to allow traffic to the new CDNs.
Microsoft notes that most users leveraging official GitHub and Azure DevOps tasks should experience minimal disruption as updates are rolled out. However, those using custom workflows or legacy environments need to manually verify their configurations.
To ensure uninterrupted access to .NET builds and safeguard against potential security issues, Microsoft recommends the following actions:
Audit dependencies:
- Search codebases, scripts, and configurations for references to azureedge.net and dotnetcli.blob.core.windows.net.
- Update URLs to the new domains: dotnetcli.azureedge.net → builds.dotnet.microsoft.com and dotnetcli.blob.core.windows.net → builds.dotnet.microsoft.com
Update installation scripts:
- Replace locally cached or outdated .NET installation scripts with the latest versions from the official repository.
Upgrade CI/CD tools:
- Ensure GitHub Actions (actions/setup-dotnet) and Azure DevOps tasks are updated to versions supporting the new domains. Updates for Azure DevOps Server are expected in early 2025.
Check firewall rules:
- Adjust firewall settings to permit access to builds.dotnet.microsoft.com and ci.dot.net.
Microsoft's reliance on third-party CDNs like Edgio reflects the scale and performance demands of global software distribution. By leveraging specialized providers, Microsoft ensures faster downloads, reduced latency, and a distributed infrastructure resilient to regional outages. However, the unexpected collapse of Edgio underscores the risks of such dependencies, especially for critical software ecosystems like .NET.
AT&T and Verizon Declare Networks Secure After Salt Typhoon Attacks
Leave a Reply