4

I'm trying to set up an end-to-end SSL connection using Application Gateway to communicate to an AppService instance. The AppService instance has a custom domain with SSL.

Now I would like to secure the connection from the client to the Application Gateway. When adding an HTTPS listener for the gateway, I'm asked to upload a .pfx certificate. I have managed to set up the entire process with a self signed certificate, as described in this guide and here, however I couldn't find any information on how to generate a pfx certificate to assign to the listener in production.

My questions are the following:

  • The gateway can't be assigned a domain, and all I have is the public IP. How should this certificate be obtained in a production environment for it to work on that IP address?
  • Can I obtain it on Azure, or using a third-party service (if yes, any suggestion)?
Improve this question
2
  • did u find the solution?
    – kudlatiger
    Oct 5, 2020 at 13:10
  • @kudlatiger I ended up moving to Front Door since the main reason for doing this was the WAF, so it ended up being cheaper and it worked out-of-the-box. Check out the answers below too
    – Luca Mozzo
    Oct 6, 2020 at 14:43

2 Answers 2

Reset to default
5

The gateway can't be assigned a domain, and all I have is the public IP. How should this certificate be obtained in a production environment for it to work on that IP address?

SSL certificates are not IP specific. In your case, for end-to-end SSL, you need:

  1. Create DNS record in your custom domain that will point to WAF IP
  2. Get certificate for from the commercial CA
  3. Create "multi-site" HTTPS listener on WAF using the cert and FQDN (host name, created at #1)
  4. Add existing app service as backend pool
  5. Add HTTP Settings with
    • backend protocol HTTPS
    • override hostname - Yes
    • Pick host name from backend target
  6. Create request routing rule to link listener with pool using HTTP Settings

Alternatively, you can update existing DNS record for app service to point to WAF IP and use existing cert to setup listener.

Can I obtain it on Azure, or using a third-party service (if yes, any suggestion)? You can use Azure Key Vault to obtain certificates from DigiCert or GlobalSign.

Improve this answer
2
  • Why to use "multi-site" HTTPS listener, and not a basic one? For a single AppService instance the basic should be enough.
    – Michael Chudinov
    Feb 4, 2021 at 16:20
  • @MikaelChudinov multi site listener will help to avoid re-configuration when second, third, etc. app needed to be published using same WAF.
    – Dmitri Gaikovoi
    Feb 5, 2021 at 18:36
3

For your scenario, since you do not have the custom domain and are relying on the default DNS name of app gateway's public ip address - so you wont be able to configure the SSL/TLS for your listener since you do not own cloudapp.net domain and hence wont have pfx for it. Note that it has to be a certificate signed by the well known CA else your client apps would end up getting an error related to certificate trust (unless they have root CA installed at their end).

For better control over incoming routes, it would be recommended for production environment to get your domain and and then purchase a SSL certificate for your domain (wildcard or naked) that would then let you upload .pfx file to app gateway listener. In that case you can purchase the certificate from Azure or from any other vendor.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.