Share via

mTLS with Azure Load Balancer not working

Pujari, Vaibhav 20 Reputation points
2023-12-28T07:48:04.7933333+00:00

Hello,

I am unable to work with mTLS when using Azure Load Balancer. Here is my scenario:

I have setup a VMSS with only one VM, which handles mTLS as part of application code inside the application running on the VM. When I try to reach the application (on VM) directly from a client machine and provide the client certificate and key in the request, then I get a response as expected. But when I attach Azure Load Balancer to the VMSS and then try to reach through it from the same client machine with same certificate and key, I don't get any response (timeout).

If I disable mTLS and only enable TLS in my application code, then I am able to reach through Azure Load Balancer. So the networking should be ok.

Seems like the Azure Load Balancer is unable to forward my requests properly to backend pool when the cilent sends a certificate and key alongwith the request.

Is it a known limitation, or am I doing something wrong?

Thanks

Vaibhav

Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
411 questions
Accepted answer
  1. GitaraniSharma-MSFT 48,016 Reputation points Microsoft Employee
    2023-12-29T08:08:40.87+00:00

    Hello @Pujari, Vaibhav ,

    I understand that you are unable to work with mTLS (mutual authentication) when using Azure Load Balancer.

    Azure Load Balancer itself doesn't directly support mutual TLS. Azure Load Balancer primarily operates at the transport layer (Layer 4) of the OSI model and is designed to distribute network traffic among multiple servers to ensure high availability and reliability of applications.

    Azure Application Gateway supports certificate-based mutual authentication.

    Refer: https://learn.microsoft.com/en-us/azure/application-gateway/mutual-authentication-overview?tabs=powershell

    However, one thing to note here is that Azure Load Balancer is a pass-through network load balancer. Protocol handshakes always occur directly between the client and the back-end pool instance. Because the load balancer doesn't interact with the TCP payload nor does it provide TLS offload, you can build comprehensive encrypted scenarios.

    So mutual authentication should work between your client and application.

    Refer: https://learn.microsoft.com/en-us/azure/load-balancer/concepts

    The only limitation that I could find is the below:

    HTTPS probes don't support mutual authentication with a client certificate.

    Refer: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview#limitations

    Requested you to share more details about your setup and you checked the health probes settings of your load balancer and found that it was using HTTPS protocol. You changed it to TCP protocol on port 443, and it works now.

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest