Upcoming Change to .NET Download Infrastructure

[leecow]

What's changing:

We are updating the .NET download infrastructure to align with Microsoft's security best practices by removing anonymous public access to the dotnetcli storage account.

Background:

The dotnetcli storage account and its dotnet container serve as the origin for the official .NET CDN (builds.dotnet.microsoft.com). Before the .NET CDN was made available, .NET releases could be downloaded by directly accessing the storage account, for example:
https://dotnetcli.blob.core.windows.net/dotnet/Sdk/10.0.102/dotnet-sdk-10.0.102-win-x64.exe

This anonymous public access pattern is no longer aligned with Microsoft's secure access initiatives and will be discontinued.

Action required:

• If you're using builds.dotnet.microsoft.com: No action needed. This change will be transparent to you.
• If you're accessing dotnetcli.blob.core.windows.net directly: Update your configuration to use builds.dotnet.microsoft.com.

Unsupported configurations:

Accessing .NET downloads by bypassing the official CDN endpoint — for example, through hosts file overrides, custom DNS resolution, or direct IP access — is not supported and is outside the scope of any Microsoft support commitment. These methods may stop working without notice as infrastructure changes are made. Please use builds.dotnet.microsoft.com for all .NET download scenarios.

Timeline:

• Now: We recommend updating any configurations that directly access dotnetcli.blob.core.windows.net to use builds.dotnet.microsoft.com instead.
• Target date: July 2026: We plan to remove anonymous public access to the dotnetcli storage account. The exact timing will depend on migration signals to ensure we minimize disruption to users still accessing the storage account directly.

We will monitor usage patterns and provide updates as we approach the transition date. Our goal is to ensure a smooth migration for all users before enforcing this security change.

Related announcements:

This change is part of our ongoing effort to secure .NET infrastructure. For related work, see:

• Critical: .NET install domains and URLs are changing announcements#336
• Upcoming Change to Nightly Build CDN - ci.dot.net announcements#375

@richlander @rbhanda @pavel-purma @michalpavelka

[svick]

It's not really related to this change, but would it make sense to have some kind of index, README or redirect at the root address of https://builds.dotnet.microsoft.com/? Right now, it returns an XML with an InvalidQueryParameterValue error, which is not very useful.

[leecow]

@pavel-purma - PTAL at the suggestion from @svick above. Seems like a good "quality of life" improvement.