question

EvanJ-1116 avatar image
0 Votes"
EvanJ-1116 asked EvanJ-1116 commented

Azure Application Gateway SSL Limits

Hello,

I am developing a SaaS application and i would like to support custom domains on the said application. For example the app will live on app.example.com and customers will have their own domains on customerxyz.example.com that route back to app.example.com. I am going to start our the application small with azure application gateway and a couple of app service instances. I would like to allow customers to have their own custom domain, for example support.customer1.com which would cname to customer1.example.com -> to app.example.com. All of which is fine until SSL comes into play. I understand that app gateway can support 100 ssl certs and that limit can raised but that does not really solve the problem of renewing certs and such.

I am aware of SNI certificates my question is, can application gateway be used as a reverse proxy to an app service that can serve the proper cert based on the host name of the incoming call? I understand that nginx could do something like this is this plan feasible? The application is still in development and can pivot if I am going down the wrong path.

I also know that cloudflare has a hosted option for this. Which allows the certificates to be deployed out to their CDN. Can azure application gateway perform a similar task where I host the public portion of the certificate in a storage account and have the gateway look for the cert in the cdn with a rule? I understand that CDNs are global and Application Gateway is regional. If Application Gateway is the wrong product to use here I would appreciate any advise on which products to go for, front door, etc..

Thanks!


azure-application-gateway
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @EvanJ-1116, Thank you for reaching out. Azure application gateway v2 SKU integrated with a key vault supports the automatic renewal of certificates that are stored in your key vault. Application Gateway uses a secret identifier in Key Vault to reference the certificates. For Azure PowerShell, the Azure CLI, or Azure Resource Manager, we strongly recommend that you use a secret identifier that doesn't specify a version. This way, Application Gateway will automatically rotate the certificate if a newer version is available in your key vault. An example of a secret URI without a version is https://myvault.vault.azure.net/secrets/mysecret/. Please go through this documentation for additional details.

can application gateway be used as a reverse proxy?

Can you please elaborate more on this scenario? if this require you to have End-to-end TLS encryption for your Application Gateway then it might help if you go through this documentation and the SNI scenarios.


0 Votes 0 ·
EvanJ-1116 avatar image EvanJ-1116 ChaitanyaNaykodiMSFT-9638 ·

Hello @ChaitanyaNaykodiMSFT-9638, My question is about the limits that application gateway has on SSL certificates. Let’s say I had 3000 customers using a platform with an app gateway limit of 100 SSL certificates, let’s even say they’re SAN certificates which would allow me to have 1000 customer certificates per gateway. This solution would not scale very well if I hit 4 or 5 thousand customers using their own domain.

Does Azure have a better way of terminating a high number or certificate at the edge?

My question about a reverse proxy was, is it possible to reverse proxy into my application which would know where ssl certificates are stored and can serve them as a part of the handshake.

0 Votes 0 ·

Hello @EvanJ-1116, apologies for the delay here. I have reached out to the team internally regarding this issue and will share an update as soon as I have a response. Thank you!

0 Votes 0 ·

1 Answer

nicolalacquaniti-1781 avatar image
0 Votes"
nicolalacquaniti-1781 answered EvanJ-1116 commented

I got the same issue.
I am migrating a stand alone multi-server web application of our own on azure, but our authentication system is historically by mutual authentication, and each customer of us has its own certificate, not owned by us.
We got 1456 users, each with its own dongle certificate.
I set up all the staff, the application gateway, the backend servers, the dns and so.
Now I import the certificates, and boom! the bad news:

Set-AzApplicationGateway : The number of Trusted Client certificates exceeds the maximum allowed value. The number of Trusted Client certificates is 542 and the maximum allowed
is 100.
At C:\certificaticompleti\importecert.ps1:23 char:1
+ Set-AzApplicationGateway -ApplicationGateway $appgw ;
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Set-AzApplicationGateway], CloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Network.SetAzureApplicationGatewayCommand


Is it possible that the full azure application gateway system is designed for a maximum of 100 users? Who can use it? Nobody wit a significand customer base, i think.
I'm sure I'm missing something here: I can't believe I have to spend 3K a month for 100 users!
Can somebody hint me on how to have a load balancer in front of a multi server backend witn more than 100 users?
Thank you in advance for your help!

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@nicolalacquaniti-1781, yesterday ms announced Yet Another Reverse Proxy (YARP) is now GA. I’m not sure how much dotnet your developers know but they might want to check it out and put it infront of the app gateway so it would go yarp at the edge (https), which could handle all ssl termination, i am going to try to use let’s encrypt for certs so I don’t have to hound my customers for certs -> application gateway (http) -> vm or whatever (http)


0 Votes 0 ·