Azure Front Door Mutual Auth (mTLS) Support

Question

Azure Front Door Mutual Auth (mTLS) Support

John Wong Yek Hon 140

I understand the as of now the Azure Front Door doesn't support the mTLS yet.

I was informed since 1 year ++ ago, that Azure going to enhance the Front Door to support mTLS. May I know how soon will that be ready? Is this still in progress or been cancelled?

Next question, while the Front Door just doesn't support mTLS yet, can we achieve that by combining the Front Door + Application Gateway? Meanings the Front Door route the requests to App Gateway, and the App Gateway perform mutual auth then?

Please advise.

Deepanshu katara 16,565 Reputation points MVP Moderator

2025-04-10T07:50:06.7033333+00:00

Hello , Welcome to MS Q&A

Currently, Azure Front Door does not support mutual TLS (mTLS) authentication. However, you can achieve mTLS by combining Azure Front Door with Azure Application Gateway. Here's how it can be done:

Azure Front Door: Use Azure Front Door to route incoming requests to your backend services. It acts as a global entry point for your applications.

Azure Application Gateway: Configure the Application Gateway to perform mutual authentication. Application Gateway supports certificate-based mutual authentication, allowing it to authenticate clients sending requests. You can upload trusted client CA certificates to the Application Gateway, which will use these certificates to authenticate clients.

By routing requests from Azure Front Door to an Application Gateway, you can leverage the mTLS capabilities of the Application Gateway to ensure secure client authentication.

For more details on configuring mutual authentication with Application Gateway, you can refer to the Azure documentation on mutual authentication.

Please let me know if any questions

Kindly accept answer

Thanks
Deepanshu
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-04-11T01:13:36.3466667+00:00

Hi @John Wong Yek Hon

Just checking in to see if above information was helpful. If you have any further queries on this issue, please let us know in the comments below.
John Wong Yek Hon 140 Reputation points

2025-04-11T07:09:36.2933333+00:00

@Sai Prasanna Sinde could you share if Front Door is going to support the mTLS in near future? at the mean time is there any alternative?
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-04-11T08:10:15.95+00:00

Hi @John Wong Yek Hon

We have reached out to the product team for further information regarding your queries and will update you as soon as possible.

Thank you for your patience and understanding.
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-04-15T05:23:23.2766667+00:00

Hi @John Wong Yek Hon

mTLS for AFD is currently under Private Preview (without an SLA). For more details, please check the private messages we have initiated.
Kishore Srirama 0 Reputation points

2025-06-02T12:30:55.8966667+00:00

Hi @Sai Prasanna Sinde ,

I would like to request once again about your response. Are you confirming the mTLS can be achieved using Azure Front Door + App Gateway or else this option would not be feasible? Can we please see if AFD can prioritize this feature. Let us know if this Idea is captured elsewhere can vote for the same.

Thanks

Kishore
Antony Lehmann 20 Reputation points

2025-06-20T21:00:46.6233333+00:00

Hi @Sai Prasanna Sinde

We are keen to get access to the Private Preview of mTLS for AFD, can you please let me know how we can get early access to this.

Thanks

Antony

1 answer

Your answer

Deepanshu katara 16,565 Reputation points MVP Moderator

2025-04-10T07:50:06.7033333+00:00

Hello , Welcome to MS Q&A

Currently, Azure Front Door does not support mutual TLS (mTLS) authentication. However, you can achieve mTLS by combining Azure Front Door with Azure Application Gateway. Here's how it can be done:

Azure Front Door: Use Azure Front Door to route incoming requests to your backend services. It acts as a global entry point for your applications.

Azure Application Gateway: Configure the Application Gateway to perform mutual authentication. Application Gateway supports certificate-based mutual authentication, allowing it to authenticate clients sending requests. You can upload trusted client CA certificates to the Application Gateway, which will use these certificates to authenticate clients.

By routing requests from Azure Front Door to an Application Gateway, you can leverage the mTLS capabilities of the Application Gateway to ensure secure client authentication.

For more details on configuring mutual authentication with Application Gateway, you can refer to the Azure documentation on mutual authentication.

Please let me know if any questions

Kindly accept answer

Thanks
Deepanshu
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-04-11T01:13:36.3466667+00:00

Hi @John Wong Yek Hon

Just checking in to see if above information was helpful. If you have any further queries on this issue, please let us know in the comments below.
John Wong Yek Hon 140 Reputation points

2025-04-11T07:09:36.2933333+00:00

@Sai Prasanna Sinde could you share if Front Door is going to support the mTLS in near future? at the mean time is there any alternative?
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-04-11T08:10:15.95+00:00

Hi @John Wong Yek Hon

We have reached out to the product team for further information regarding your queries and will update you as soon as possible.

Thank you for your patience and understanding.
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-04-15T05:23:23.2766667+00:00

Hi @John Wong Yek Hon

mTLS for AFD is currently under Private Preview (without an SLA). For more details, please check the private messages we have initiated.
Kishore Srirama 0 Reputation points

2025-06-02T12:30:55.8966667+00:00

Hi @Sai Prasanna Sinde ,

I would like to request once again about your response. Are you confirming the mTLS can be achieved using Azure Front Door + App Gateway or else this option would not be feasible? Can we please see if AFD can prioritize this feature. Let us know if this Idea is captured elsewhere can vote for the same.

Thanks

Kishore
Antony Lehmann 20 Reputation points

2025-06-20T21:00:46.6233333+00:00

Hi @Sai Prasanna Sinde

We are keen to get access to the Private Preview of mTLS for AFD, can you please let me know how we can get early access to this.

Thanks

Antony

Answer 1

Hi @John Wong Yek Hon

Can we achieve that by combining the Front Door + Application Gateway? Meanings the Front Door route the requests to App Gateway, and the App Gateway perform mutual auth then?

I am afraid to say that this architecture will not allow the Application Gateway to perform mTLS authentication with the original client.

Because TLS will terminate at AFD EndPoint - and if there is no authentication happening here, it just cannot "pass" traffic to the App gateway.

The client establishes a TLS connection with the Azure Front Door edge location. Front Door terminates this TLS connection, and it initiates a new TLS connection to the backend you've configured (in this case, AGW).

From the Application Gateways perspective, the incoming connection is originating from an Azure Front Door IP address, not the original client's IP address and during the TLS handshake between Front Door and Application Gateway, Front Door does not present the original client's certificate. The Application Gateway, therefore, has no client certificate to validate for mTLS purposes during this handshake.

Currently, mTLS for AFD is under Private Preview (without an SLA). For more details, please check the private messages we have initiated.

If the above helps, please take a moment to click 'Accept answer' so that other community members facing the same issues can easily find the right answers.

If you still have questions, please let us know what is needed in the comments so the question can be answered.

Thank you for helping to improve Microsoft Q&A!

Share via

Azure Front Door Mutual Auth (mTLS) Support

1 answer

Your answer