securing the AFD, APIM and Function App

Question

securing the AFD, APIM and Function App

Emmanuel Gaid 41

Hello,

I am currently exploring the best way to apply certificates to our infrastructure. We are using Azure Front Door, an API Management Service (APIM), and a Function App as the backend for API methods. One of the challenges I’m facing is how to implement a two-layer SSL termination: the first from the open internet to Front Door, and the second from the Front Door endpoint to the backend APIM.

I'm a bit confused about how to set up the DNS and certificates in this scenario.

Current Setup:

Example domain: api.contoso.com
DNS records:
- CNAME pointing to the Azure Front Door (AFD) endpoint.
  - TXT record pointing to the Function App.
Certificates:
- AFD custom domain certificate.
- App Service (Function App) certificate.

Architecture:

Azure Front Door → API Management (with CORS using an exclusive AFD custom domain and AFD endpoint; possibly adding a check-header policy) → Function App (restricted to only accept requests from APIM’s public IP).

Questions:

Do we still need to apply a custom certificate to the Function App, given that it is not accessible from the open internet and only communicates internally with APIM?
Given that APIM and the Function App already have valid Azure-provided HTTPS vanity URLs with certificates, is it worth creating and applying custom certificates for both APIM and the Function App?

Emmanuel Gaid 41 Reputation points

2024-10-09T11:54:15.1933333+00:00

Hey everyone, thanks for all your suggestions! I noticed the same thing, that I could use the certificate provided by Azure Websites. It seems like having a custom domain on the backend isn't a big deal, especially since everything is locked to their respective Azure services.

Just one last question: is there any chance I'll need to set this up again in the future? Also, what should I consider if I want to add another custom domain and certificate to the backend?
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2024-10-28T17:14:48.9533333+00:00

Hi @Emmanuel Gaid ,

Yes, you might need to set this up again in the future due to scaling, custom domain changes, or security compliance.

Considerations for Adding a Custom Domain:

DNS Records: Set up new DNS entries pointing to Azure resources.

Certificates: Obtain and install a new SSL certificate for the new domain.

Routing and Policies: Update AFD and APIM configurations to handle the new domain.

Security Practices: Ensure regular renewals and monitoring for the new certificate.

Testing: Test the setup before going live.

This way, you can ensure a smooth integration of new domains and certificates.

I hope that this response will address your query and helped you overcome your challenges.

If you find this answer helpful, please click "Accept Answer" and kindly upvote it.

Thankyou.
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2024-10-29T16:48:09.0666667+00:00

Hi @Emmanuel Gaid ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Thankyou.
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2024-10-30T15:44:10.53+00:00

Hi @Emmanuel Gaid ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Thankyou.
Emmanuel Gaid 41 Reputation points

2025-01-12T10:14:40.0566667+00:00

Hello, thank you for all the solutions you provided. I decided to use the default Azure website provided certificate for the backend, as this setup is only intended for Azure Front Door access. Azure Front Door will be the component exposed to the open internet. The webapp also has a firewall enabled, so technically, even though the webapp is exposed to the internet, the firewall will handle security effectively.
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-01-20T06:08:04.72+00:00

Hi @Emmanuel Gaid ,

Your setup is effective. By using the default Azure website-provided certificate for the backend and exposing Azure Front Door to the open internet, you leverage global load balancing and web application firewall (WAF) capabilities to protect your web application from common threats. Additionally, enabling a firewall on your webapp adds another layer of security by managing and controlling traffic, also regularly reviewing and updating your security configurations, along with enabling additional features like DDoS protection and monitoring tools, will further enhance your security posture.

https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-01-21T05:04:52.0266667+00:00

Hi @Emmanuel Gaid ,

I am following up to confirm if the above response was helpful. If it addressed your query, please let us know. Should you have any further questions, feel free to reach out.

Accepted answer

1 additional answer

Your answer

Emmanuel Gaid 41 Reputation points

2024-10-09T11:54:15.1933333+00:00

Hey everyone, thanks for all your suggestions! I noticed the same thing, that I could use the certificate provided by Azure Websites. It seems like having a custom domain on the backend isn't a big deal, especially since everything is locked to their respective Azure services.

Just one last question: is there any chance I'll need to set this up again in the future? Also, what should I consider if I want to add another custom domain and certificate to the backend?
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2024-10-28T17:14:48.9533333+00:00

Hi @Emmanuel Gaid ,

Yes, you might need to set this up again in the future due to scaling, custom domain changes, or security compliance.

Considerations for Adding a Custom Domain:

DNS Records: Set up new DNS entries pointing to Azure resources.

Certificates: Obtain and install a new SSL certificate for the new domain.

Routing and Policies: Update AFD and APIM configurations to handle the new domain.

Security Practices: Ensure regular renewals and monitoring for the new certificate.

Testing: Test the setup before going live.

This way, you can ensure a smooth integration of new domains and certificates.

I hope that this response will address your query and helped you overcome your challenges.

If you find this answer helpful, please click "Accept Answer" and kindly upvote it.

Thankyou.
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2024-10-29T16:48:09.0666667+00:00

Hi @Emmanuel Gaid ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Thankyou.
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2024-10-30T15:44:10.53+00:00

Hi @Emmanuel Gaid ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Thankyou.
Emmanuel Gaid 41 Reputation points

2025-01-12T10:14:40.0566667+00:00

Hello, thank you for all the solutions you provided. I decided to use the default Azure website provided certificate for the backend, as this setup is only intended for Azure Front Door access. Azure Front Door will be the component exposed to the open internet. The webapp also has a firewall enabled, so technically, even though the webapp is exposed to the internet, the firewall will handle security effectively.
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-01-20T06:08:04.72+00:00

Hi @Emmanuel Gaid ,

Your setup is effective. By using the default Azure website-provided certificate for the backend and exposing Azure Front Door to the open internet, you leverage global load balancing and web application firewall (WAF) capabilities to protect your web application from common threats. Additionally, enabling a firewall on your webapp adds another layer of security by managing and controlling traffic, also regularly reviewing and updating your security configurations, along with enabling additional features like DDoS protection and monitoring tools, will further enhance your security posture.

https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2025-01-21T05:04:52.0266667+00:00

Hi @Emmanuel Gaid ,

I am following up to confirm if the above response was helpful. If it addressed your query, please let us know. Should you have any further questions, feel free to reach out.

Answer 1

Sam Cogan 10,812 Microsoft Employee Volunteer Moderator

In this setup, the only certificate your users will see is the one on Front Door, so there is little benefit to providing custom certificates for APIM and Functions, and you then have the downside of having to renew and manage the certs.

In your scenario, I would only use a custom certificate for Front Door, and even then, I would recommend using the managed certificate to have MS look after it for you. For APIM and Functions, I would use the built-in cert.

Shireesha Eeraboina 3,435 Reputation points Microsoft External Staff Moderator

2024-10-08T15:19:37.4666667+00:00

Hi @Emmanuel Gaid ,

Could you please confirm if the issue has been resolved with the solution mentioned above by @Sam Cogan , or if you need any further assistance?

Feel free to reach out if you need additional help.

Thankyou.

Answer 2

Hello @Emmanuel Gaid In order to implement a two-layer SSL termination, you will need to configure SSL/TLS settings for both Azure Front Door and API Management.

Regarding your questions:

If the Function App is only accessible internally through APIM, you may not need to apply a custom certificate to the Function App. However, if you want to ensure end-to-end encryption between the client and the Function App, you can still apply a custom certificate to the Function App.
If APIM and the Function App already have valid Azure-provided HTTPS vanity URLs with certificates, you may not need to create and apply custom certificates for both APIM and the Function App. However, if you want to use custom domain names for APIM and the Function App, you will need to create and apply custom certificates for both. In your current setup, you have already applied a custom certificate to Azure Front Door. To apply a custom certificate to API Management, you can follow the steps outlined in the Azure API Management documentation here.
To apply a custom certificate to the Function App, you can follow the steps outlined in the Azure App Service documentation here.

I hope this helps.

Share via

securing the AFD, APIM and Function App

1 additional answer

Your answer