TLS -Colonization with Azure key vault certificates (2023)

  • Article
  • 8 minutes to read

Azure Key VaultIt is a secret store managed by the platform you can use to protect secrets, keys and certificates TLS/SSL.Azure application gateway admits integration with the server certificates that are attached to https -qualified listeners.for the app gateway sku v2.

The Gateway app offers two models for the end of TLS:

  • Provide TLS/SSL certificates attached to the listener.This model is the traditional way of passing TLS/SSL certificates to the TLS termination application gateway.
  • Provide a reference to an existing key certificate or secret when creating an activated listener for HTTPS.

The integration of the application gateway with Key Vault offers many benefits, including:

  • Stronger security, because TLS/SSL certificates are not directly managed by the application development team.Integration allows separate safety equipment:
    • Configure application gates.
    • Control of life cycles.
    • Concession licenses for selected request gates to access certificates stored in their main safe.
  • Support to import existing certificates on your main safe.Or use the Key Vault API to create and manage new certificates with any of the main partner of the safe.
  • Support for automatic renewal of certificates stored in your key.

Compatible certificates

Currently, the Gateway app admits only validated software certificates.Validated Hardware Safety Module (HSM) certificates are not compatible.

Once the application gateway is configured to use the main certificates of the safe, their instances recover the certificate of the safe vault and install them locally for the termination of TLS.The instances research the main safe at four intervals to recover a renewed version of the certificate if it exists.If there is an updated certificate, the TLS/SSL certificate currently associated with the HTTPS listener is automatically rotated.


Any change in the application port of the application will force a check against Key Vault to see if there are new versions of available certificates.This includes, among others, changes in the IP edge, listeners, rules, back -end groups, back -end groups, tags, tags, resource labels and more.If there is an updated certificate, the new certificate will be presented immediately.

The Gateway app uses a secret identifier on the key safe to refer to certificates.For Azure Powershell, Azure Cli or Azure Resource Manager, we strongly recommend that you use a secret identifier that does not specify a version.This way, the link port door to the application will automatically rotate the certificate if there is a latest version available on your key safe.An example of secret Uri without a version is steps provided inSection below.

The Azure portal admits only the main certificates of the safe, not secrets.The application gateway still supports Key Vault's reference secrets, but only through non -portal features such as Powershell, Azure Cl, API and Azure Resource Manager (ARM models (ARM).

References to the main coffers in other Azure signatures are compatible, but should be configured through the arm model, Azure Powershell, CLI, Bicep, etc.The cross -size cross -size safe configuration is not compatible with the application gateway compatibleon the Azure portal today.

(Video) Azure Key Vault Certificate Management

Certificate configuration on the key safe

For the end of TLS, the application gateway supports only certified personal information exchange format (PFX).It can import an existing certificate or create a new one on its main safe.To avoid failures, make sure the certificate status is configured toactivatedIn the key safe.

How integration works

The integration of the application port with Key Vault is a three -step configuration process:

TLS -Colonization with Azure key vault certificates (1)

To use

Azure application gateway integration with Key Vault admits the policy of accessing Vault and Azure Functions access control permission models.

Obtain an administered identity attributed by the user

The Gateway app uses an identity administered to recover the main safe certificates in its name.

You can create a new identity attributed to the user or reuse an integration existence.To create a new identity assigned to the user assigned by the user, seeCreate an identity attributed to the user using the Azure Portal.

Delegate the identity attributed to the user to the key

Set the access policies to use the identity attributed to the user with their main safe:

  1. In the Azure Portal, go toKey Vault.

  2. Select the key from the key that contains your certificate.

  3. If you are using the permission modelVault access policy: SelectAccess policies, select+ Add Access Policy, selectGetforSecret Permissionsand choose your identity attributed to the user toSelected director.THO SELECTTo save.

    If you are usingAzure paper base access controlFollow the articleAssign access to the administered identity to an appealand assign the administered identity attributed by the user theSecret User Key safeAzure Key's role.

    (Video) Using Azure Key Vault Certificate, Secrets, and Keys

Check the firewall permissions for the main safe

On March 15, 2021, Key Vault recognizes the application's gateway as a reliable service, taking advantage of user -managed identities for Azure Key Vault authentication.Using final service points and allowing the Key Vault Firewall for reliable services option, you can create a safe network limit on Azure.It can deny access to traffic from all networks (including Internet traffic) to Key Vault, but still make Key Vault accessible to an application gateway feature under its signature.

When using a restricted safe, use the following steps to configure the application gateway to use firewalls and virtual networks:


Steps 1-3 are not required if your Key Vault has a private final point activated.The application gateway can access the key safe using the private IP address.

To use

If you use private end points to access the Chaves Vault, you should link the private DNS area, which contains the registration corresponding to the referenced key key to the virtual network contained in the application gate.Personalized DNS servers can continue to be used on the virtual network, instead of the resolutions provided by DNS Azure, however, the private DNS zone should also remain linked to the virtual network.

  1. On the Azure portal, in your safe, selectNetworks.

  2. About itFirewalls and Virtual NetworksGuide, selectSelected networks.

  3. ForVirtual networks, select+ Add existing virtual networksAnd then add the virtual network and the sub -right to your application of the application gate.During the process, also configure theMicrosoft.KeyVaultFinal time service by selecting your check box.

  4. SelectSimTo allow reliable services to avoid Key Vault's firewall.

    TLS -Colonization with Azure key vault certificates (2)

    (Video) Azure Key Vault Tutorial : Step-By-Step-Demo | Secret, Key, Certificates

To use

If you implement the application gateway instance through an arm model using Azure Cl or PowerShell, or through an Azure app implemented on the Azure portal, the SSL certificate will be stored in the safe as a 64 encoded PFX file.Debes complete the steps inUse Azure's Key Vault to pass a secure value of the parameters during implementation.

It is particularly important to establishenabledaTRUE.The certificate may or may not have a password.For a password certificate, the following example shows a possible configuration for thesslCertifiedto enterpropertiesFor arm model configuration for the application gateway.

"Sslcertificates": [{"Name": "AppGwslcertificate", "Properties": {"Data": "['AppGatewaysslcertifate')]", "Password": "[Parameters ('app]

The values ofAppGatewaysSlCertificatedatayAppGateWaysSlCertificatePasswordThey are sought from the key safe, as described inReference secrets with dynamic identification.The references ofParameters ('secretname')To see how the research happens.If the certificate has no password, omits thepasswordProhibited.

Configure the gateway listener

Model of access to the key permission to the key

Browse to your app's gateway on the Azure portal and select theListenerstab.SELECTAdd listener(or select an existing listener) and specifyHttpsFor the protocol.

LowChoose a certificate, selectCreate a newAnd then selectChoose a key certificate keylowHttps configuration.

To get the certificate name, write a friendly name for the certificate to be referred to in the main safe.Ellija your administered identity, key and certified key.

Once selected, selectTo add(and create) theTo save(If you edit) to apply the key key certificate referenced to the listener.

Access Control Permission Model based on Azure Key's safe function

The application gateway supports certificates referenced in the key vault through the roles -based access control permit model. The first steps to refer to the key vault must be completed through the arm template, biceps, biceps, biceps, biceps, biceps, biceps, biceps , bíceps, bíceps, bíceps, bíceps, bíceps, CLI ou PowerShell.

To use

The specification of Azure Key Vault certificates that are subject to the function -based access control permission model is not compatible with the portal.

(Video) How to configure certificate auto-rotation in Azure Key Vault

In this example, we will use Powershell to refer to a new secret of the safe.

# Obtain the application gateway, we want to modify $ appw = get -Azapplicationgateway -Name myoplicationgateway -Resourcegroupname myResourcegroup# Specify the resource ID to the user -managed identity. xxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxXhhtehtepplasalalalotoleulteArTeArTeAfTAURATATAURATEDITERITIONSITIDE."-Name" certateName "$ Secretid = $ Secret. id.replace ($ secret.version, ") # eliminar la versión secreta para que appgw usará la Última versión en futuras singrons singronsenes # Especifique la identificataciAn secreta de la bóveda -key -elaplicationgatewaysSlcertificate -kevaultSoiUl .Nome# Compreenda as alterações no gatewayet Application -AxApplicationGateway -ApplicationGateway $ APPGW

Once the commands are executed, you will be able to browse to your app's gateway on the Azure portal and select the listener's guide.Click Add a listener (or select an existing one) and specify the protocol to HTTPS.

LowChoose a certificateSelect the certificate appointed in the previous steps.Once selected, selectTo add(and create) theTo save(If you edit) to apply the key key certificate referenced to the listener.

Investigate and solve the main errors of the safe

To use

It is important to consider any impact on the gateway feature of its application when making changes or revoking access to its main safe resource.If your application gateway cannot access the associated key safe or locate the certificate object automatically place this listener in a state with disabilities.

You can identify this user -promoted event by seeing the health of your gateway's resources.To know more.

Azure application gateway not only search for the Key Vault certificate version in each four -hour interval.It also records any error and is integrated into the surface Azure Advisor to any erroneous configuration with a recommendation for your solution.

  1. Make login on your Azure portal
  2. Selected consultant
  3. Select the operational excellence category in the left menu.
  4. You will find a recommendation entitledSolve the problem of Azure's main safe to the gateway of its applicationif your gateway is facing this problem.
  5. Select to see the error details, the associated key safe feature and theProblem -solving guideTo solve your exact problem.

By identifying this event through Azure Advisor or Resource Health, you can quickly solve any configuration problem with your main safe.Let's strongly recognize that you enjoyAzure Advisor AzureyHealth health healthWarning to stay informed when a problem is detected.

For the consultant's alert, use "Solve the Azure safe problem for your application gateway" in the type of recommendation, as shown below.TLS -Colonization with Azure key vault certificates (3)

You can configure the health alert of the feature as illustrated below.TLS -Colonization with Azure key vault certificates (4)

Next steps

Configure TLS's ending with the main safe certificates using Azure Powershell


1. Certificates with Azure Key Vault and Nginx Ingress Controller
(Geert Baeke)
2. Simplify Your Certificate Automation: Managing Azure Key Vault Certificates
(Zoom Speaks Tech)
3. How to use Azure App Service managed certificates | Azure Tips and Tricks
(Microsoft Azure)
4. Certificate Based Authentication for Azure Key Vault
(Rahul Nath)
5. SSL Certificates with Azure!
(Hassan Habib)
6. Automate your Go TLS certificates with Vault PKI
(Johan Brandhorst-Satzkorn)
Top Articles
Latest Posts
Article information

Author: Nicola Considine CPA

Last Updated: 01/05/2023

Views: 6398

Rating: 4.9 / 5 (49 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Nicola Considine CPA

Birthday: 1993-02-26

Address: 3809 Clinton Inlet, East Aleisha, UT 46318-2392

Phone: +2681424145499

Job: Government Technician

Hobby: Calligraphy, Lego building, Worldbuilding, Shooting, Bird watching, Shopping, Cooking

Introduction: My name is Nicola Considine CPA, I am a determined, witty, powerful, brainy, open, smiling, proud person who loves writing and wants to share my knowledge and understanding with you.