
Azure Application Gateway supports TLS 1.2 and TLS 1.3, but not TLS 1.0 or TLS 1.1.
To configure TLS 1.2 or 1.3 on Azure Application Gateway, you need to create a new SSL policy or update an existing one.
You can choose between TLS 1.2 and TLS 1.3 in the SSL policy settings, but keep in mind that TLS 1.3 is only supported on Azure Application Gateway v2.
Azure Application Gateway also supports multi-protocol TLS (mTLS) for mutual authentication, which requires both the client and server to authenticate each other.
Curious to learn more? Check out: How to Check Conditional Access Policy in Azure
SSL/TLS Offloading
SSL/TLS offloading is a game-changer for improving the performance of your web servers. By offloading the encryption and decryption processes to a dedicated component, such as Azure Application Gateway, you can significantly reduce the CPU load on your backend servers.
This process, known as SSL/TLS offloading, involves the Application Gateway terminating the SSL/TLS connection from the client, decrypting the data, and then forwarding the unencrypted traffic to the backend servers. This allows the backend servers to focus solely on processing application requests.
Readers also liked: Azure Application Gateway Backend Settings Certificate
Here are the benefits of SSL/TLS offloading:
- Improved Performance: By offloading or terminating SSL/TLS encryption at the Application Gateway, backend servers can allocate more resources to processing application requests, leading to better performance and reduced latency.
- Simplified Server Management: Backend servers can focus on application logic without the added complexity of handling SSL/TLS encryption and decryption.
- Scalability: Offloading or terminating SSL/TLS allows for better resource allocation, enabling easier horizontal scaling of your application infrastructure.
- Centralized Security: SSL/TLS certificates can be managed centrally at the Application Gateway, simplifying certificate renewal and ensuring consistent encryption settings.
- Enhanced Security: SSL/TLS offloading or termination can be combined with Web Application Firewall (WAF) features provided by Azure Application Gateway to protect against web vulnerabilities and attacks.
To implement SSL/TLS offloading with Azure Application Gateway, you'll need to create an Application Gateway instance, configure an SSL/TLS certificate, define HTTPS listeners, and ensure your backend pool consists of your application servers.
Certificates and Encryption
Azure Application Gateway supports various types of certificates for TLS termination, including CA, EV, Wildcard, and Self-Signed certificates. These certificates are used to establish a secure connection between the client and the Application Gateway.
A CA certificate is issued by a trusted Certificate Authority, while an EV certificate is more secure and turns the browser's locator bar green. Wildcard certificates support multiple subdomains, but not the root domain. Self-Signed certificates are not trusted by client browsers and should only be used for testing or environments where administrators can bypass security alerts.
Here are the supported certificate types:
- CA (Certificate Authority) certificate
- EV (Extended Validation) certificate
- Wildcard Certificate
- Self-Signed certificates
For end-to-end TLS encryption, Application Gateway terminates TLS sessions at the gateway, decrypts user traffic, and then applies configured rules to select an appropriate backend pool instance. This process involves re-encrypting data using the backend server's public key certificate before transmitting the request to the backend.
Certificates Supported
Application gateways support a variety of certificates for TLS termination.
A CA (Certificate Authority) certificate is a digital certificate issued by a certificate authority, which is a trusted entity that verifies the identity of a website.
EV (Extended Validation) certificates are industry-standard certificates that turn the browser locator bar green and publish the company name.
Wildcard certificates support any number of subdomains based on *.site.com, but not the main domain site.com.
Self-Signed certificates are useful for testing or environments where administrators control the clients, but should never be used in production workloads due to browser security alerts.
Here are the types of certificates supported by application gateways:
- CA (Certificate Authority) certificate
- EV (Extended Validation) certificate
- Wildcard Certificate
- Self-Signed certificates
End-to-End Encryption
End-to-end encryption is a must for secure communication, and Azure Application Gateway has got you covered. It provides end-to-end TLS encryption to support security and compliance requirements.
Application Gateway terminates TLS sessions at the gateway, decrypts user traffic, and then applies configured rules to select an appropriate backend pool instance. It initiates a new TLS connection to the backend server and re-encrypts data using the backend server's public key certificate before transmitting the request.
To enable end-to-end TLS, you need to set the protocol setting in Backend HTTP Setting to HTTPS. This is then applied to a backend pool. In Application Gateway v1 SKU gateways, TLS policy applies the TLS version only to frontend traffic and the defined ciphers to both frontend and backend targets.
In Application Gateway v2 SKU gateways, TLS policy only applies to frontend traffic, backend TLS connections will always be negotiated via TLS 1.0 to TLS 1.2 versions. This is a key difference between the two SKUs, and it's essential to understand the implications for your specific use case.
If the certificates of the members in the backend pool aren't signed by well-known CA authorities, each instance in the backend pool with end-to-end TLS enabled must be configured with a certificate. This ensures secure communication between the application gateway and the backend servers.
The certificate added to Backend HTTP Setting to authenticate the backend servers can be the same as the certificate added to the listener for TLS termination at application gateway or different for enhanced security. This provides flexibility in configuring your certificates for secure communication.
A unique perspective: Managed Certificates Azure
Frontend Certificate
When choosing a frontend certificate for your Application Gateway, you have several options to consider.
A CA (Certificate Authority) certificate is a good choice, as it's a digital certificate issued by a trusted authority.
An EV (Extended Validation) certificate is another option, which will turn the browser locator bar green and publish the company name.
Wildcard certificates support any number of subdomains based on *.site.com, but not site.com.
Self-Signed certificates should be avoided in production workloads, as client browsers don't trust them and will warn the user.
Here are the supported types of certificates for TLS termination:
- CA (Certificate Authority) certificate
- EV (Extended Validation) certificate
- Wildcard Certificate
- Self-Signed certificates
If you're planning to use the same certificate for the frontend and backend, be aware that there are important considerations to keep in mind.
Sources
- https://community.sap.com/t5/technology-blogs-by-members/sap-on-azure-azure-application-gateway-web-application-firewall-waf-v2/ba-p/13473328
- https://blog.nashtechglobal.com/ssl-tls-offloading-and-termination-with-azure-application-gateway/
- https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview
- https://xkln.net/blog/deploying-azure-application-gateway--part-2-end-to-end-encryption-path-routing-and-header-rewriting/
- https://www.infoq.com/news/2023/02/azure-application-gateway-mtls/
Featured Images: pexels.com