Can the Azure Front Door and App Gateway passthrough a client certificate so it can be recognised by APIM?

Question

Can the Azure Front Door and App Gateway support a client certificate so
it can be recognized by APIM? We want to require client certs to select APIs on APIM, but we want to ensure
they are not stripped by Front Door or AGW which both sit in front of APIM.

Can you please let us know the process and if additional settings needs to be in place

Answer 1

Hello @gaur , Thank you for reaching out to us, and apologies for the delayed response here.

Passthrough client certificate is not supported by Azure Front Door and Application Gateway, as they both need to decrypt the traffic in order to apply the routing rules and rewrite rules set. Although end-to-end TLS is supported by both of them but for it as well the data is decrypted first and then encrypted again using the certificate uploaded at Azure FD/ App Gateway. For more information please go through the end-to-end TLS documentation for App Gateway and Azure Front Door.

Azure Application gateway does have a MTLS feature in preview (currently not recommended for prod scenarios) where you can use server variables to pass information about the client certificate to the backend servers behind the Application Gateway. Since your application gateway is integrated with APIM, I am not sure how viable this solution will be in your scenario as you will need to do some modifications in APIM to recognize the client certificate information. Currently, MTLS is not supported on Azure Front Door. Meanwhile please feel free to upvote this feature request for SSL passthrough for Azure Front Door.

Hope this helps. Please let me know if you have any additional questions. Thank you!