SSL on an Application gateway

Question

Hello,

I'm very interested to work with application Gateway,
I have 3 web Sites that i want to expose behind an application Gateway,
These 3 web sites are accessible using https, and i have some questions :

Is there any restriction on the backend pools that we create on an application gateway? i mean, all the backend pool servers should be in the same vnet as the application gateway? or we can have backend pool servers connected on different vnets?

And for the certificates, should i install them on the backend servers, and also on the application gateway to have a full https connection?

Thanks

Answer 1

Hi,

Azure APP Gateway can communicate with instances outside of the virtual network that it's in. As a result, the members of the backend pools can be across clusters, across datacenters, or outside Azure, as long as there's IP connectivity so in this instance just make sure you have connectivity and peering setup if it is a hub-spoke setup.

It depends on the requirement if the SSL termination should happen at the App GW it can be done and if you require end to end SSL encryption for security you can carry out the SSL tunnel between the GW and the Backend servers,

As per your req you will need to install on both frontend and backend servers to end to end encryption

Check this - https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview

Hope this helps.

JS

==

Please Accept the answer if the information helped you. This will help us and others in the community as well.

Answer 2

@Mohamed jihad bayali

Thank you for reaching out.

Just answering your follow-up question above

For the certificate, the same certificate that is installed on the target servers should be installed on the app gateway?

Yes, Listener TLS/SSL certificates in Application Gateway are used for terminating client TLS connection at the gateway. This function is analogous to uploading a certificate on a web server to support TLS/HTTPS connections from clients/browsers.

When configured with end-to-end TLS communication mode, Application Gateway terminates the TLS sessions at the gateway and decrypts user traffic. It then applies the configured rules to select an appropriate backend pool instance to route traffic to. Application Gateway then initiates a new TLS connection to the backend server and re-encrypts data using the backend server's public key certificate before transmitting the request to the backend.

These are the requirements to establish End-to-end TLS with the Application Gateway V2 as documented here

• Certificates signed by well known CA authorities whose CN matches the host name in the HTTP backend settings don't require any additional step for end to end TLS to work.
• If the backend server certificate is self-signed, or signed by unknown CA/intermediaries, then to enable end to end TLS in Application Gateway v2 a trusted root certificate must be uploaded. Application Gateway will only communicate with backends whose server certificate’s root certificate matches one of the list of trusted root certificates in the backend http setting associated with the pool.
• In addition to the root certificate match, Application Gateway v2 also validates if the Host setting specified in the backend http setting matches that of the common name (CN) presented by the backend server’s TLS/SSL certificate. When trying to establish a TLS connection to the backend, Application Gateway v2 sets the Server Name Indication (SNI) extension to the Host specified in the backend http setting.
• If pick hostname from backend target is chosen instead of the Host field in the backend http setting, then the SNI header is always set to the backend pool FQDN and the CN on the backend server TLS/SSL certificate must match its FQDN. Backend pool members with IPs aren't supported in this scenario.
• The root certificate is a base64 encoded root certificate from the backend server certificates.

Hope this helps! Please let me know if you have any additional questions. Thank you!