Can I use App Service's managed certificates behind an Application Gateway?

Marco 45 Reputation points
2023-09-27T09:33:01.47+00:00

Can I use the App Service's managed certificates if the service is behind an Application Gateway using WAFv2?

Hi everyone,

I have few App Services behind an Application Gateway (AppGW) using WAFv2.

Correct me if I'm wrong. I know I can enable the managed certificates for my App Services (I see the option there), but I also need to be able to link those same certificates from the AppGW configuration so that the AppGW can accept HTTPS connections.

The question is, can I do that?

On the Azure Portal I don't see any option to refer to those certificates. In the AppGW listener's TLS certificates section I'm given the options to:

  • Upload a certificate
  • Choose a certificate from Key Vault Can I configure it to use the App Service's managed certificates instead?

Otherwise, can I make the App Service store its managed certificates in a Key Vault and refer to those from the AppGW?

Thank you for your help :)

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,045 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,630 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 49,461 Reputation points Microsoft Employee
    2023-09-27T11:34:07.8633333+00:00

    Hello @Marco ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know if you can use the App Service's managed certificates and link the same certificates to the Application Gateway configuration so that the Application Gateway can accept HTTPS connections.

    No, it is not possible to link the free App Service managed certificate to your Application gateway configuration for HTTPS connections.

    Because the free App Service managed certificate is not exportable, and Azure fully manages the certificates on your behalf.

    Refer: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex#create-a-free-managed-certificate

    You can see the below table which lists the options for you to add certificates in App Service:

    User's image

    You can create a free App Service managed certificate, if you just need to secure your custom domain in App Service.

    Refer: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex

    Please note that there are two product offerings: App Service Managed Certificates and App Service Certificates.

    • The free App Service managed certificate is a turn-key solution for securing your custom DNS name in App Service.
    • App Service certificates are purchased from Azure which are issued by GoDaddy and are maintained in Azure Key Vault.

    Application Gateway offers two models for TLS termination:

    1. Provide TLS/SSL certificates attached to the listener. This model is the traditional way to pass TLS/SSL certificates to Application Gateway for TLS termination.
    2. Provide a reference to an existing Key Vault certificate or secret when you create a HTTPS-enabled listener.

    The first option requires you to export a copy of the certificate. And like I mentioned above the free App Service managed certificate is not exportable.

    So, you need an App service certificate which is purchased from Azure. This certificate can be exported.

    Refer: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate?tabs=portal#export-an-app-service-certificate

    The second option requires you to configure your Application Gateway to use Key Vault certificates and to maintain the certificate in Azure Key Vault, you will need to purchase an App Service certificate from Azure.

    Refer: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate?tabs=portal

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.