Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,216 questions
Hello @EnterpriseArchitect ,
I understand that you would like to integrate your Application gateway with Key vault for certificate management and would like to know how to implement the same without any downtime.
Azure Application Gateway supports integration with Key Vault for server certificates that are attached to HTTPS-enabled listeners. This support is limited to the Application Gateway v2 SKU.
Azure Application Gateway integration with Key Vault supports both Vault access policy and Azure role-based access control permission models.
Refer: https://learn.microsoft.com/en-us/azure/application-gateway/key-vault-certs
To integrate Key vault with Application Gateway for SSL on an existing HTTPS listener, you can follow the below steps:
- Obtain a user-assigned managed identity for your Application Gateway.
- Define access policies to use the user-assigned managed identity with your Key Vault.
- If you're using the permission model Vault access policy: Select Access Policies, select + Add Access Policy, select Get for Secret permissions, and choose your user-assigned managed identity for Select principal. Then select Save.
- If you're using Azure role-based access control, follow the article Assign a managed identity access to a resource and assign the user-assigned managed identity the Key Vault Secrets User role to the Azure Key Vault.
- Specifying Azure Key Vault certificates that are subject to the role-based access control permission model is not supported via the portal.
- Using PowerShell/CLI:
- Get the secret ID from Key Vault and specify the secret ID from Key Vault in your Application Gateway.
- Commit the changes to the Application Gateway.
- Once the commands have been executed, you can navigate to your Application Gateway in the Azure portal.
- In your Application gateway, click the Listeners tab and select your existing listener.
- Under Choose a certificate, select "Create new" and "Choose a certificate from Key Vault".
- And then enter a certificate name, select managed identity and choose the certificate uploaded to your Key Vault.
- Once selected, click Save to apply the referenced Key Vault certificate to the listener.
As soon as you save the Application gateway, the newly referenced certificate from Key vault will be the one that is presented on new client requests, and you can safely remove/delete the traditional certificate from the listener (if you want) or keep it in the configuration to reference it later (whichever step works for you).
Refer the below docs for detailed tutorials with screenshots:
https://learn.microsoft.com/en-us/azure/application-gateway/key-vault-certs#how-integration-works
https://learn.microsoft.com/en-us/azure/application-gateway/configure-key-vault-portal
NOTE: It is important to consider any impact on your Application Gateway resource when making changes or revoking access to your Key Vault resource. In case your application gateway is unable to access the associated key vault or locate the certificate object in it, it will automatically put that listener in a disabled state.
In case of end-to-end SSL, if you are using a well-known certificate authority for your backend certificate, then you don't have to change the http setting when you upgrade the certificate in the backend. Changes done to the Application gateway V2 are a lot faster.
So, as long as there are no issues with the configured Key vault and your application gateway is able to access the associated key vault, there should be no downtime in updating the certificate except the time normally required to save Application gateway changes.
When Application Gateway is configured to use Key Vault certificates and you rotate certificates in KeyVault, Application gateway will automatically pick up the change after 4 hours.
Refer: https://learn.microsoft.com/en-us/azure/application-gateway/renew-certificates
NOTE:
- Application Gateway only supports certificates in Personal Information Exchange (PFX) format. You can either import an existing certificate or create a new one in your Key Vault. To avoid any failures, ensure that the certificate's status is set to Enabled in Key Vault. Refer: https://learn.microsoft.com/en-us/azure/application-gateway/key-vault-certs#certificate-settings-in-key-vault
- The Azure portal supports only Key Vault certificates, not secrets. Application Gateway still supports referencing secrets from Key Vault, but only through non-portal resources like PowerShell, the Azure CLI, APIs, and Azure Resource Manager templates (ARM templates).
- References to Key Vaults in other Azure subscriptions is supported, but must be configured via ARM Template, Azure PowerShell, CLI, Bicep, etc. Cross-subscription key vault configuration is not supported by Application Gateway via Azure Portal today.
To renew certificates uploaded directly to Application gateway listener, you can follow the below:
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.