How to use PFX file in Application Gateway Listener

Lyncheese 105 Reputation points
2023-12-19T07:22:44.53+00:00

I have Web API project running on Web App Service on Azure.
Usually it has public access, but I have to change it to private access.

The idea is to access the App Service from Application Gateway.
I have seen several tutorials but nothing include of using .pfx in the configuring listener step.

In summary, the App Gateway will have public IP accessed by public.
The App Service has default domain from Azure with suffix, azurewebsites.net

My plan is to use TLS end to end.
So the question now is, where to get the .pfx file and how to generate it ?
I assumed .pfx is related to certificate
The default domain from backend App Service did not have download-able certificate though.

How to configure this part ?

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,126 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,297 questions
0 comments No comments
{count} votes

Accepted answer
  1. ChaitanyaNaykodi-MSFT 27,041 Reputation points Microsoft Employee
    2023-12-20T04:07:30.5133333+00:00

    @Lyncheese

    Thank you for reaching out.

    I understand you have Azure Web App service with default domain which you want to add as a backend to the Application Gateway,

    In this case there is no requirement to upload a .pfx certificate file to Application Gateway listener. As documented here Certificates signed by well known CA authorities whose CN matches the host name in the HTTP backend settings don't require any additional step for end to end TLS to work. If you're using Azure App Service or other Azure web services as your backend, then these are implicitly trusted as well and no further steps are required for end to end TLS.

    As documented here

    • In the Trusted root certificate setting, you can set to use well known CA trusted root certificate.
    • Under "Host name override", select "Pick host name from backend target". This setting will cause the request towards App Service to use the "azurewebsites.net" host name, as is configured in the Backend Pool.

    Hope this helps! Please let me know if you have any additional questions. Thank you!


    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.