Home/Categories/Azure App Configuration

Azure Application Gateway Backend Settings Certificate Configuration Guide

Author

Reads 980

Engineer fixing core swith in data center room
Credit: pexels.com, Engineer fixing core swith in data center room

To configure certificate settings for the backend pool of Azure Application Gateway, you'll need to upload a trusted root certificate to the gateway. This certificate is used to establish trust with your backend servers.

You can upload a root certificate to Azure Application Gateway using the Azure portal or PowerShell. The certificate must be in PEM format and not password-protected.

For the certificate to be trusted, it must be uploaded to the gateway before creating the backend pool. This ensures that the gateway can establish a secure connection with the backend servers.

Azure Application Gateway supports both self-signed and trusted certificates for backend communication. However, self-signed certificates are only trusted if uploaded to the gateway as a trusted root certificate.

Create and Configure Application Gateway

To create an application gateway with end-to-end TLS encryption, you'll need to enable TLS termination while creating a new application gateway. This action enables TLS encryption for communication between the client and application gateway.

Credit: youtube.com, Application Gateway Configuration Step by Step | Azure App Gateway Tutorial

Enable TLS termination by selecting HTTPS as the protocol in the listener settings. A pane for Certificate will appear, where you can upload the PFX certificate you intend to use for TLS termination.

To configure an existing application gateway with end-to-end TLS encryption, you must first enable TLS termination in the listener. This action enables TLS encryption for communication between the client and the application gateway.

To enable TLS termination in an existing application gateway, follow these steps:

  1. Select All resources, and then select your application gateway.
  2. Select Listeners from the left-side menu.
  3. Select either Basic or Multi-site listener depending on your requirements.
  4. Under Protocol, select HTTPS. A pane for Certificate appears.
  5. Upload the PFX certificate you intend to use for TLS termination between the client and the application gateway.
  6. Add other required settings for the Listener, depending on your requirements.
  7. Select OK to save.

Once TLS termination is enabled, you'll need to add the certificates for your backend servers to the Safe Recipients list in the HTTP settings. This configuration enables TLS encryption for communication between the application gateway and the backend servers.

To add the certificates, you can either use an existing listener that meets the conditions or create a new one. If you choose the latter option, apply the steps in the procedure for enabling TLS termination in an existing application gateway.

TLS Termination and End-to-End Encryption

Credit: youtube.com, Azure Application Gateway - End to End TLS Encryption using Let's Encrypt

To enable end-to-end TLS encryption, you must first enable TLS termination in the listener, which enables TLS encryption for communication between the client and the application gateway. This can be done while creating a new application gateway or in an existing one.

You can either use an existing listener that meets the conditions or create a new one. If you choose the latter option, you'll need to upload a PFX certificate for TLS termination between the client and the application gateway. Note that for testing purposes, you can use a self-signed certificate, but this is not advised for production workloads.

To enable TLS termination in an existing application gateway, select All resources, then select your application gateway, and then select Listeners from the left-side menu. From there, select either Basic or Multi-site listener, depending on your requirements.

Here are the steps to enable TLS termination in an existing application gateway:

  1. Select All resources, and then select myAppGateway.
  2. Select Listeners from the left-side menu.
  3. Select either Basic or Multi-site listener depending on your requirements.
  4. Under Protocol, select HTTPS. A pane for Certificate appears.
  5. Upload the PFX certificate you intend to use for TLS termination between the client and the application gateway.
  6. Add other required settings for the Listener, depending on your requirements.
  7. Select OK to save.

Certificates and Authentication

Credit: youtube.com, Azure Application Gateway - TLS Termination using Let's Encrypt

To enable end-to-end TLS encryption, you'll need to configure certificates and authentication for your Azure Application Gateway backend settings. This involves uploading the authentication/root certificates or trusted root certificates of your backend servers.

You can add these certificates by selecting the HTTP settings from the left-side menu, and then selecting the backend HTTP setting. For example, the default HTTP setting, appGatewayBackendHttpSettings, was automatically created when you created the application gateway.

The protocol should be set to HTTPS, and a pane for Backend authentication certificates or Trusted root certificates will appear. You can create a new certificate by selecting Create new, entering a suitable name, and uploading the certificate file in .cer format.

The type of certificate to upload depends on the type of application gateway you're using. For Standard and WAF (v1) application gateways, you should upload the public key of your backend server certificate. For Standard_v2 and WAF_v2 application gateways, you should upload the root certificate of the backend server certificate.

Credit: youtube.com, How to use Azure App Service managed certificates | Azure Tips and Tricks

If the backend certificate is issued by a well-known certificate authority (CA), you can select the Use Well Known CA Certificate check box, and then you don't have to upload a certificate.

Here's a summary of the steps to upload certificates:

  1. Select the backend HTTP setting.
  2. Select the protocol to HTTPS.
  3. Select Create new to create a new certificate.
  4. Enter a suitable name for the certificate.
  5. Upload the certificate file in .cer format.
  6. Select the type of certificate to upload (public key or root certificate).
  7. Select the Use Well Known CA Certificate check box if applicable.

Remember to save the certificate after uploading it. This will ensure that the certificate is properly configured for your Azure Application Gateway backend settings.

Sources

  1. https://learn.microsoft.com/en-us/azure/application-gateway/end-to-end-ssl-portal
  2. https://blog.zuehlke.cloud/2020/04/configure-backend-re-encryption-at-azure-application-gateway-v2/
  3. https://blog.matrixpost.net/mastering-azure-application-gateway/
  4. https://www.xtivia.com/blog/azure-agv2-invalid-certificate/
  5. https://documentation.decisions.com/docs/configuring-azure-application-gateway

Featured Images: pexels.com

Glen Hackett

Writer

Glen Hackett is a skilled writer with a passion for crafting informative and engaging content. With a keen eye for detail and a knack for breaking down complex topics, Glen has established himself as a trusted voice in the tech industry. His writing expertise spans a range of subjects, including Azure Certifications, where he has developed a comprehensive understanding of the platform and its various applications.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.