SSL Certificate with Azure Web App behind Private Endpoint

GarudaLead-8570 41 Reputation points
2022-09-05T00:17:28.537+00:00

I've created an Azure Web App that sits behind an Application as well as a private endpoint. The idea being that to access the app, you must go through the Application Gateway and cannot access it through the webapp.azurewebsites.net url. The tutorial I followed was here: Securing-Azure-Web-Apps-using-Application-Gateways-and-vNets

The diagram of how it all looks is this:

237666-privateendpoint.png

Everything works as expected. The site cannot be accessed through azurewebsites.net and can only be accessed through the public IP of the Application gateway.

The problem is when trying to add an SSL certificate. If I add an SSL certificate to the WebApp I must verify the domain by adding a CNAME record to point to the azurewebsites.net domain with the IP of the WebApp. If I do that it allows public access back to the WebApp through Azurewebsites.net.

How do I add an SSL for my WebApp without losing the security of a private endpoint?

Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
438 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,535 questions
0 comments No comments
{count} votes

Accepted answer
  1. ajkuma 20,861 Reputation points Microsoft Employee
    2022-09-06T19:59:17.257+00:00

    GarudaLead, we noticed that you mentioned, you used the SSL cert associated with the azurewebsites.net domain for this setup. (to benefit the community posted the answer here). Much appreciate the follow-up.

    Additionally,

    • IP-Based SSL isn't supported with Private Endpoints. private-endpoint#limitations.
    • all https://sitename.azurewebsites.net | sites use the same SSL certificate, which is controlled directly by Azure.

    If you have further questions, please let us know.

    --
    To benefit the community find the right answers, please do mark the post which was helpful by clicking on ‘[Accept Answer’][A] & ‘Up-Vote’.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Rafael da Rocha 5,071 Reputation points
    2022-09-05T07:17:30.34+00:00

    After validating domain ownership you should be able to remove the DNS records, or use the web app service networking rules to disable access except via the private endpoint.
    To note: purely from a performance standpoint, TLS termination at the Application Gateway is preferred over end-to-end TLS.
    Here's some documentation about this scenarios: Overview of TLS termination and end to end TLS with Application Gateway

    ----------

    If any reply helped solve your question, please remember to upvote and/or "Accept Answer".
    It helps others facing similar issues find the solution.

    0 comments No comments