Share via

Azure managed TLS certificates behind Application Gateway

Mika Pitkänen 20 Reputation points
2024-02-13T13:55:58.7133333+00:00

Case A) - Azure Static Web App

"Free SSL/TLS certificates are automatically created for the auto-generated domain name and any custom domains you may add."

Q: When Static Web App is behind Application Gateway, is it possible to use Azure managed free SSL/TLS certificate when using End-to-end TLS? (App GW -> private endpoint -> Static Web App)

Case B) - Azure App Service

"Create a free App Service managed certificate"

Q: When App Service is behind Application Gateway, is it possible use App Service's managed TLS certificate when using End-to-end TLS? (App GW -> private endpoint -> App Service)

Case C) - Azure API Management

"You can also enable a free, managed certificate."

Q: When API Management is integrated into virtual network in internal mode and is behind Application Gateway, is it possible to use free managed TLS certificate for custom domain?

Q: Is API Management's free managed TLS certificate still in preview?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,826 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,070 questions
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
790 questions
0 comments
Accepted answer
  1. ajkuma 23,181 Reputation points Microsoft Employee
    2024-02-15T04:19:16.36+00:00

    Thanks for posting this question.

    1. If your requirement fits, you could try by setting up an Application Gateway in front of the SWA private endpoint and attaching the custom domain to the App Gateway.
    2. Based on my understanding of your case, this may not work. As outlined in this doc section #create-a-free-managed-certificate (free certificate comes with the limitations)
    • Must have an A record pointing to your web app's IP address.
    • Must have CNAME mapped directly to <app-name>.azurewebsites.net or trafficmanager.net. Mapping to an intermediate CNAME value blocks certificate issuance and renewal.
    1. We are checking on this, and will follow-up on it.

    I have added additional tags to receive insights from the targetted SMEs/audience.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JananiRamesh-MSFT 22,221 Reputation points
    2024-02-15T11:06:15.03+00:00

    @Mika Pitkänen Thanks for reaching out. Please find the details below regarding your APIM question

    When API Management is integrated into virtual network in internal mode and is behind Application Gateway, is it possible to use free managed TLS certificate for custom domain?

    When APIM is integrated into a virtual network in internal mode and is behind an Application Gateway, it is not possible to use the free managed TLS certificate for custom domains as this requires pointing directly to the APIM CNAME instead of going through app gateway.

    Is API Management's free managed TLS certificate still in preview?

    Yes, I see its still in preview.

    please refer: https://learn.microsoft.com/en-us/azure/api-management/configure-custom-domain?WT.mc_id=Portal-fx&tabs=managed

    do let me know incase of further queries, I would be happy to assist you.

    1 person found this answer helpful.
    0 comments