- Article
- 8 minutes to read
Azure Key VaultIt is a secret store managed by the platform you can use to protect secrets, keys and certificates TLS/SSL.Azure application gateway admits integration with the server certificates that are attached to https -qualified listeners.for the app gateway sku v2.
The Gateway app offers two models for the end of TLS:
- Provide TLS/SSL certificates attached to the listener.This model is the traditional way of passing TLS/SSL certificates to the TLS termination application gateway.
- Provide a reference to an existing key certificate or secret when creating an activated listener for HTTPS.
The integration of the application gateway with Key Vault offers many benefits, including:
- Stronger security, because TLS/SSL certificates are not directly managed by the application development team.Integration allows separate safety equipment:
- Configure application gates.
- Control of life cycles.
- Concession licenses for selected request gates to access certificates stored in their main safe.
- Support to import existing certificates on your main safe.Or use the Key Vault API to create and manage new certificates with any of the main partner of the safe.
- Support for automatic renewal of certificates stored in your key.
Compatible certificates
Currently, the Gateway app admits only validated software certificates.Validated Hardware Safety Module (HSM) certificates are not compatible.
Once the application gateway is configured to use the main certificates of the safe, their instances recover the certificate of the safe vault and install them locally for the termination of TLS.The instances research the main safe at four intervals to recover a renewed version of the certificate if it exists.If there is an updated certificate, the TLS/SSL certificate currently associated with the HTTPS listener is automatically rotated.
Advice
Any change in the application port of the application will force a check against Key Vault to see if there are new versions of available certificates.This includes, among others, changes in the IP edge, listeners, rules, back -end groups, back -end groups, tags, tags, resource labels and more.If there is an updated certificate, the new certificate will be presented immediately.
The Gateway app uses a secret identifier on the key safe to refer to certificates.For Azure Powershell, Azure Cli or Azure Resource Manager, we strongly recommend that you use a secret identifier that does not specify a version.This way, the link port door to the application will automatically rotate the certificate if there is a latest version available on your key safe.An example of secret Uri without a version ishttps://myvault.vault.azure.net/secrets/mysecret/PowerShell steps provided inSection below.
The Azure portal admits only the main certificates of the safe, not secrets.The application gateway still supports Key Vault's reference secrets, but only through non -portal features such as Powershell, Azure Cl, API and Azure Resource Manager (ARM models (ARM).
References to the main coffers in other Azure signatures are compatible, but should be configured through the arm model, Azure Powershell, CLI, Bicep, etc.The cross -size cross -size safe configuration is not compatible with the application gateway compatibleon the Azure portal today.
Certificate configuration on the key safe
For the end of TLS, the application gateway supports only certified personal information exchange format (PFX).It can import an existing certificate or create a new one on its main safe.To avoid failures, make sure the certificate status is configured toactivatedIn the key safe.
How integration works
The integration of the application port with Key Vault is a three -step configuration process:
To use
Azure application gateway integration with Key Vault admits the policy of accessing Vault and Azure Functions access control permission models.
Obtain an administered identity attributed by the user
The Gateway app uses an identity administered to recover the main safe certificates in its name.
You can create a new identity attributed to the user or reuse an integration existence.To create a new identity assigned to the user assigned by the user, seeCreate an identity attributed to the user using the Azure Portal.
Delegate the identity attributed to the user to the key
Set the access policies to use the identity attributed to the user with their main safe:
In the Azure Portal, go toKey Vault.
Select the key from the key that contains your certificate.
If you are using the permission modelVault access policy: SelectAccess policies, select+ Add Access Policy, selectGetforSecret Permissionsand choose your identity attributed to the user toSelected director.THO SELECTTo save.
If you are usingAzure paper base access controlFollow the articleAssign access to the administered identity to an appealand assign the administered identity attributed by the user theSecret User Key safeAzure Key's role.
(Video) Using Azure Key Vault Certificate, Secrets, and Keys
Check the firewall permissions for the main safe
On March 15, 2021, Key Vault recognizes the application's gateway as a reliable service, taking advantage of user -managed identities for Azure Key Vault authentication.Using final service points and allowing the Key Vault Firewall for reliable services option, you can create a safe network limit on Azure.It can deny access to traffic from all networks (including Internet traffic) to Key Vault, but still make Key Vault accessible to an application gateway feature under its signature.
When using a restricted safe, use the following steps to configure the application gateway to use firewalls and virtual networks:
Advice
Steps 1-3 are not required if your Key Vault has a private final point activated.The application gateway can access the key safe using the private IP address.
To use
If you use private end points to access the Chaves Vault, you should link the Privatelink.VaultCore.azure.net private DNS area, which contains the registration corresponding to the referenced key key to the virtual network contained in the application gate.Personalized DNS servers can continue to be used on the virtual network, instead of the resolutions provided by DNS Azure, however, the private DNS zone should also remain linked to the virtual network.
On the Azure portal, in your safe, selectNetworks.
About itFirewalls and Virtual NetworksGuide, selectSelected networks.
ForVirtual networks, select+ Add existing virtual networksAnd then add the virtual network and the sub -right to your application of the application gate.During the process, also configure the
Microsoft.KeyVaultFinal time service by selecting your check box.SelectSimTo allow reliable services to avoid Key Vault's firewall.
(Video) Azure Key Vault Tutorial : Step-By-Step-Demo | Secret, Key, Certificates
To use
If you implement the application gateway instance through an arm model using Azure Cl or PowerShell, or through an Azure app implemented on the Azure portal, the SSL certificate will be stored in the safe as a 64 encoded PFX file.Debes complete the steps inUse Azure's Key Vault to pass a secure value of the parameters during implementation.
It is particularly important to establishenabledaTRUE.The certificate may or may not have a password.For a password certificate, the following example shows a possible configuration for thesslCertifiedto enterpropertiesFor arm model configuration for the application gateway.
"Sslcertificates": [{"Name": "AppGwslcertificate", "Properties": {"Data": "['AppGatewaysslcertifate')]", "Password": "[Parameters ('app]The values ofAppGatewaysSlCertificatedatayAppGateWaysSlCertificatePasswordThey are sought from the key safe, as described inReference secrets with dynamic identification.The references ofParameters ('secretname')To see how the research happens.If the certificate has no password, omits thepasswordProhibited.
Configure the gateway listener
Model of access to the key permission to the key
Browse to your app's gateway on the Azure portal and select theListenerstab.SELECTAdd listener(or select an existing listener) and specifyHttpsFor the protocol.
LowChoose a certificate, selectCreate a newAnd then selectChoose a key certificate keylowHttps configuration.
To get the certificate name, write a friendly name for the certificate to be referred to in the main safe.Ellija your administered identity, key and certified key.
Once selected, selectTo add(and create) theTo save(If you edit) to apply the key key certificate referenced to the listener.
Access Control Permission Model based on Azure Key's safe function
The application gateway supports certificates referenced in the key vault through the roles -based access control permit model. The first steps to refer to the key vault must be completed through the arm template, biceps, biceps, biceps, biceps, biceps, biceps, biceps , bíceps, bíceps, bíceps, bíceps, bíceps, CLI ou PowerShell.
To use
The specification of Azure Key Vault certificates that are subject to the function -based access control permission model is not compatible with the portal.
In this example, we will use Powershell to refer to a new secret of the safe.
# Obtain the application gateway, we want to modify $ appw = get -Azapplicationgateway -Name myoplicationgateway -Resourcegroupname myResourcegroup# Specify the resource ID to the user -managed identity. xxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxXhhtehtepplasalalalotoleulteArTeArTeAfTAURATATAURATEDITERITIONSITIDE."-Name" certateName "$ Secretid = $ Secret. id.replace ($ secret.version, ") # eliminar la versión secreta para que appgw usará la Última versión en futuras singrons singronsenes # Especifique la identificataciAn secreta de la bóveda -key -elaplicationgatewaysSlcertificate -kevaultSoiUl .Nome# Compreenda as alterações no gatewayet Application -AxApplicationGateway -ApplicationGateway $ APPGWOnce the commands are executed, you will be able to browse to your app's gateway on the Azure portal and select the listener's guide.Click Add a listener (or select an existing one) and specify the protocol to HTTPS.
LowChoose a certificateSelect the certificate appointed in the previous steps.Once selected, selectTo add(and create) theTo save(If you edit) to apply the key key certificate referenced to the listener.
Investigate and solve the main errors of the safe
To use
It is important to consider any impact on the gateway feature of its application when making changes or revoking access to its main safe resource.If your application gateway cannot access the associated key safe or locate the certificate object automatically place this listener in a state with disabilities.
You can identify this user -promoted event by seeing the health of your gateway's resources.To know more.
Azure application gateway not only search for the Key Vault certificate version in each four -hour interval.It also records any error and is integrated into the surface Azure Advisor to any erroneous configuration with a recommendation for your solution.
- Make login on your Azure portal
- Selected consultant
- Select the operational excellence category in the left menu.
- You will find a recommendation entitledSolve the problem of Azure's main safe to the gateway of its applicationif your gateway is facing this problem.
- Select to see the error details, the associated key safe feature and theProblem -solving guideTo solve your exact problem.
By identifying this event through Azure Advisor or Resource Health, you can quickly solve any configuration problem with your main safe.Let's strongly recognize that you enjoyAzure Advisor AzureyHealth health healthWarning to stay informed when a problem is detected.
For the consultant's alert, use "Solve the Azure safe problem for your application gateway" in the type of recommendation, as shown below.
You can configure the health alert of the feature as illustrated below.
Next steps
Configure TLS's ending with the main safe certificates using Azure Powershell