Which Azure Native Load Balancer today supports passing the original Client Certificate to IIS Deployed backend Web App?

Shetty, Sharath 26 Reputation points
2022-10-20T16:06:09.897+00:00

We have multiple (mostly WCF based and one .Net Core 3.1 based) Web Apps deployed within IIS on Windows 2019 VM and all these have Require SSL enabled at IIS Level. In other words we are using Mutual TLS and all these Web Apps use the Client Certificate for some validation and cannot work without it. Today we use F5 Load Balancer which has the SSL Passthrough feature to pass the original Client Certificate from the caller all the way to our IIS hosted Web Apps.

We are now planning to move all these apps to VM's in Azure and trying to find any Azure Native Load Balancer's (Azure Front Door, Application Gateway etc) that has a similar feature as in F5 to pass the original Client Certificate all the way to our Web App. Our initial research on both Front Door and Application Gateway suggests they don't support passing the original certificate to backend Web Apps.

Can you please advice on what options do we have?

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
611 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
988 questions
0 comments No comments
{count} vote

Accepted answer
  1. ChaitanyaNaykodi-MSFT 23,986 Reputation points Microsoft Employee
    2022-10-20T23:20:11.59+00:00

    @Shetty, Sharath ,

    Thank you for reaching out and Welcome to the Microsoft Q&A forum.

    Our initial research on both Front Door and Application Gateway suggests they don't support passing the original certificate to backend Web Apps.

    Your understanding here is correct, it will be helpful if you could create a feedback item regarding this request on the Azure Feedback portal for Application gateway and upvote this similar request for Azure Front Door.

    Alternatively, Azure Application Gateway supports MTLS where you can upload a trusted client CA certificate(s) to the Application Gateway, and the gateway will use that certificate to authenticate the client sending a request to the gateway. Any information about the client certificate can be passed using these server variables. Although in your case above you will have to modify the backend code to use this feature.

    Can you please advice on what options do we have?

    As mentioned by AndreasBaumgarten above Azure Load balancer operates at layer-4 and supports SSL/TLS pass through as it never interacts with Layer 7 traffic.

    Another service I could think of is Azure API management, as it allows you to secure access to the backend service of an API using client certificates. Azure API Management can be deployed inside an Azure virtual network (VNet) to access backend services within the network. You can go through the features list of APIM and see if this service satisfies your requirements.

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Andreas Baumgarten 99,366 Reputation points MVP
    2022-10-20T20:19:22.273+00:00

    Hi @Shetty, Sharath ,

    an Azure Loadbalancer supports SSL/TLS pass-through :

    Does Azure Load Balancer support TLS/SSL termination?

    No, Azure Load Balancer doesn't currently support termination as it's a pass through network load balancer. Application Gateway could be a potential solution if your application requires termination.
    Sourc:e https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-faqs#does-azure-load-balancer-support-tls-ssl-termination-


    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

    2 people found this answer helpful.