Deploy AKS and API Management with mTLS

This solution demonstrates how to integrate Azure Kubernetes Service (AKS) and Azure API Management via mutual TLS (mTLS) in an architecture that provides end-to-end encryption.

Architecture

Download a Visio file of this architecture.

Dataflow

1. A user makes a request to the application endpoint from the internet.
2. Azure Application Gateway receives traffic as HTTPS and presents a PFX certificate previously loaded from Azure Key Vault to the user.
3. Application Gateway uses private keys to decrypt traffic (SSL offload), performs web application firewall inspections, and re-encrypts traffic by using public keys (end-to-end encryption).
4. Application Gateway applies rules and backend settings based on the backend pool and sends traffic to the API Management backend pool over HTTPS.
5. API Management is deployed in internal virtual network mode (Developer or Premium tier only) with a private IP address. It receives traffic as HTTPS with custom domain PFX certificates.
6. Microsoft Entra ID provides authentication and applies API Management policies via OAuth and client certificate validation. To receive and verify client certificates over HTTP/2 in API Management, you need to enable Negotiate client certificate on the Custom domains blade in API Management.
7. API Management sends traffic via HTTPS to an ingress controller for an AKS private cluster.
8. The AKS ingress controller receives the HTTPS traffic and verifies the PEM server certificate and private key. Most enterprise-level ingress controllers support mTLS. Examples include NGINX and AGIC.
9. The ingress controller processes TLS secrets (Kubernetes Secrets) by using cert.pem and key.pem. The ingress controller decrypts traffic by using a private key (offloaded). For enhanced-security secret management that's based on requirements, CSI driver integration with AKS is available.
10. The ingress controller re-encrypts traffic by using private keys and sends traffic over HTTPS to AKS pods. Depending on your requirements, you can configure AKS ingress as HTTPS backend or passthrough.

Components

• Application Gateway. Application Gateway is a web traffic load balancer that you can use to manage traffic to web applications.
• AKS. AKS provides fully managed Kubernetes clusters for deployment, scaling, and management of containerized applications.
• Azure Container Registry. Container Registry is a managed, private Docker registry service on Azure. You can use Container Registry to store private Docker images, which are deployed to the cluster.
• Microsoft Entra ID. When AKS is integrated with Microsoft Entra ID, you can use Microsoft Entra users, groups, or service principals as subjects in Kubernetes RBAC to manage AKS resources.
  • Managed identities. Microsoft Entra managed identities eliminate the need to manage credentials like certificates, secrets, and keys.
• Azure SQL Database. SQL Database is a fully managed and intelligent relational database service that's built for the cloud. You can use SQL Database to create a high-availability, high-performance data storage layer for your modern cloud applications.
• Azure Cosmos DB. Azure Cosmos DB is a fully managed NoSQL database service for building and modernizing scalable, high-performance applications.
• API Management. You can use API Management to publish APIs to your developers, partners, and employees.
• Azure Private Link. Private Link provides access to PaaS services that are hosted on Azure, so you can keep your data on the Microsoft network.
• Key Vault. Key Vault can provide enhanced security for keys and other secrets.
• Defender for Cloud. Defender for Cloud is a solution for cloud security posture management and cloud workload protection. It finds weak spots across your cloud configuration, helps strengthen the security of your environment, and can protect workloads across multicloud and hybrid environments from evolving threats.
• Azure Monitor. You can use Monitor to collect, analyze, and act on telemetry data from your Azure and on-premises environments. Monitor helps you maximize the performance and availability of your applications and proactively identify problems.
  • Log Analytics. You can use Log Analytics to edit and run log queries with data in Azure Monitor logs.
  • Application Insights. Application Insights is an extension of Azure Monitor. It provides application performance monitoring.
• Microsoft Sentinel. Microsoft Sentinel is a cloud-native security information and event manager platform that uses built-in AI to help you analyze large volumes of data.
• Azure Bastion. Azure Bastion is a fully managed service that provides RDP and SSH access to VMs without any exposure through public IP addresses. You can provision the service directly in your local or peered virtual network to get support for all VMs in that network.
• Azure Private DNS. You can use Private DNS to manage and resolve domain names in a virtual network without adding a custom DNS solution.

Scenario details

You can use this solution to integrate AKS and API Management via mTLS in an architecture that provides end-to-end encryption.

Potential use cases

• AKS integration with API Management and Application Gateway, via mTLS.
• End-to-end mTLS between API Management and AKS.
• High security deployments for organizations that need end-to-end TLS. For example, organizations in the financial sector can benefit from this solution.

You can use this approach to manage the following scenarios:

• Deploy API Management in internal mode and expose APIs by using Application Gateway.
• Configure mTLS and end-to-end encryption for high security and traffic over HTTPS.
• Connect to Azure PaaS services by using an enhanced security private endpoint.
• Implement Defender for Containers security.

Contributors

This article is maintained by Microsoft. It was originally written by the following contributors.

Principal author:

• Saswat Mohanty | Senior Cloud Solution Architect

Other contributors:

• Mick Alberts | Technical Writer
• Arshad Azeem | Senior Cloud Solution Architect
• Raj Penchala | Principal Cloud Solution Architect

To see non-public LinkedIn profiles, sign in to LinkedIn.

Next steps

• Application Gateway
• AKS Roadmap
• AKS documentation
• AKS learning path
• API Management learning path
• API Management landing zone accelerator
• Microsoft Defender for Cloud Blog

Related resources

• AKS architecture design
• AKS cluster best practices
• Baseline architecture for an AKS cluster