securing the AFD, APIM and Function App

Question

Hello,

I am currently exploring the best way to apply certificates to our infrastructure. We are using Azure Front Door, an API Management Service (APIM), and a Function App as the backend for API methods. One of the challenges I’m facing is how to implement a two-layer SSL termination: the first from the open internet to Front Door, and the second from the Front Door endpoint to the backend APIM.

I'm a bit confused about how to set up the DNS and certificates in this scenario.

Current Setup:

• Example domain: api.contoso.com
• DNS records:
  • CNAME pointing to the Azure Front Door (AFD) endpoint.
    • TXT record pointing to the Function App.
• Certificates:
  • AFD custom domain certificate.
  • App Service (Function App) certificate.

Architecture:

Azure Front Door → API Management (with CORS using an exclusive AFD custom domain and AFD endpoint; possibly adding a check-header policy) → Function App (restricted to only accept requests from APIM’s public IP).

Questions:

1. Do we still need to apply a custom certificate to the Function App, given that it is not accessible from the open internet and only communicates internally with APIM?
2. Given that APIM and the Function App already have valid Azure-provided HTTPS vanity URLs with certificates, is it worth creating and applying custom certificates for both APIM and the Function App?

Answer 1

In this setup, the only certificate your users will see is the one on Front Door, so there is little benefit to providing custom certificates for APIM and Functions, and you then have the downside of having to renew and manage the certs.

In your scenario, I would only use a custom certificate for Front Door, and even then, I would recommend using the managed certificate to have MS look after it for you. For APIM and Functions, I would use the built-in cert.

Answer 2

Hello @Emmanuel Gaid In order to implement a two-layer SSL termination, you will need to configure SSL/TLS settings for both Azure Front Door and API Management.

Regarding your questions:

1. If the Function App is only accessible internally through APIM, you may not need to apply a custom certificate to the Function App. However, if you want to ensure end-to-end encryption between the client and the Function App, you can still apply a custom certificate to the Function App.
2. If APIM and the Function App already have valid Azure-provided HTTPS vanity URLs with certificates, you may not need to create and apply custom certificates for both APIM and the Function App. However, if you want to use custom domain names for APIM and the Function App, you will need to create and apply custom certificates for both. In your current setup, you have already applied a custom certificate to Azure Front Door. To apply a custom certificate to API Management, you can follow the steps outlined in the Azure API Management documentation here.
3. To apply a custom certificate to the Function App, you can follow the steps outlined in the Azure App Service documentation here.

---

I hope this helps.

Answer 3

Hey everyone, thanks for all your suggestions! I noticed the same thing, that I could use the certificate provided by Azure Websites. It seems like having a custom domain on the backend isn't a big deal, especially since everything is locked to their respective Azure services.

Just one last question: is there any chance I'll need to set this up again in the future? Also, what should I consider if I want to add another custom domain and certificate to the backend?