SSL pinning with Azure App gateway + APIM - azure

Is there a way of achieving SSL pinning with Azure Application Gateway. I have some APIs deployed on AKS exposed through APIM. The APIM is private and the APIs are publicly exposed through Application Gateway. Is there a way of achieving SSL pinning in my custom android app in this scenario?

Application Gateway supports TLS termination at the gateway, after which traffic typically flows unencrypted to the backend servers.
1.Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and encrypted. Application gateway supports both TLS termination at the gateway as well as end to end TLS encryption.
2.End-to-end TLS allows you to encrypt and securely transmit sensitive data to the backend while you use Application Gateway's Layer-7 load-balancing features. These features include cookie-based session affinity, URL-based routing, support for routing based on sites, the ability to rewrite or inject X-Forwarded-* headers, and so on.
3.When configured with end-to-end TLS communication mode, Application Gateway terminates the TLS sessions at the gateway and decrypts user traffic. It then applies the configured rules to select an appropriate backend pool instance to route traffic to. Application Gateway then initiates a new TLS connection to the backend server and re-encrypts data using the backend server's public key certificate before transmitting the request to the backend. Any response from the web server goes through the same process back to the end user
Reference:
https://learn.microsoft.com/en-us/azure/application-gateway/end-to-end-ssl-portal

Related

How to add HTTPS/SSL support to a microservice via Azure API management layer without app server having to support SSL?

I have a Azure APIM setup that receives the website request and forwards it to the respective microservice node. The website supports only http requests and now I wish to change this to HTTPS/SSL.
The app server on the microservice node does not support SSL, so I have couple of options:
On microservice node - change to another app server that supports SSL
OR On microservice node - Add a web server (nginx) which does the SSL and forwards the request to the app server (both web server and app server will be on the same node)
OR Configure SSL at the Azure API management layer
I prefer to use option 3 so that the microservice node is responsible only to serve requests and the HTTPS/SSL bit is handled by the Azure API management layer. This documentation seems to suggest how this can be achieved for both SSL termination at the gateway and end to end SSL. However, there are 2 problems:
This article is about application gateway - and I am looking for similar solution with API management (API gateway).
If I wish to use the end to end SSL mode, and not the SSL termination mode (which terminates SSL at gateway), then my app server will need to have SSL feature?
How to add end to end SSL support to a microservice via Azure API management layer without app server having to support SSL?
API Management (APIM) is acting as a reverse proxy - much like nginx in your example. APIM supports SSL by default and can do SSL termination.
APIM will also talk to your backend service without without any issues - all you need to do is select "http" for the backend instead of "https".

Azure Application Gateway Not allowing Client Certificates

I have Azure API Management, configured internally and exposed to the public through Azure application Gateway. My API is secured for client certificates, it working perfectly when I test it internally. When I test it externally, I am getting an invalid certificate error. Does Azure Application Gateway block client certificates? How to allow them?
An answer from Microsoft:
We do have option for mutual authentication on Application Gateway
which can allow the mutual authentication between client and
Application Gateway:
https://learn.microsoft.com/en-us/azure/application-gateway/mutual-authentication-overview
However this is still in preview version, which is not included in
SLA. As the mutual authentication between AppGW and the APIM we
double confirmed with the backend engineers, unfortunately the answer
is no we do not support such a function.
I suspect this is not yet possible with Application Gateway: https://feedback.azure.com/forums/217313-networking/suggestions/9379902-allow-mutual-ssl-auth-on-application-gateway

Endpoint monitoring of Web App using Azure Traffic Manager

I have a WebApp in Azure, which has incoming certificate enabled in place. Is it possible to check the endpoint of the API hosted in the WebApp through Traffic Manager probe? I cannot find a solution to probe the endpoint from there since it returns 403 "Error 403 - Forbidden: Client Certificate Required."
It's not possible to validate the client certificate via Traffic Manager probe referring to this official document. Traffic Manager supports probing over HTTPS. But please note that Traffic manager cannot provide any certificate validation, including:
Server-side certificates are not validated
SNI server-side certificates are not validated
Client certificates are not supported
For HTTP or HTTPS monitoring protocol, a common practice on the endpoint side is to implement a custom page within your application - for example, /health.aspx. Using this path for monitoring, you can perform application-specific checks, such as checking performance counters or verifying database availability. Based on these custom checks, the page returns an appropriate HTTP status code.
https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-monitoring

Application Gateway Configuration - passthrough to server

My application gateway/WAF is setup end to end ssl, does any one know if it can just passthrough requests to like an app server for a desktop client if the Public FQDN is resolving to the app gateway or would i need another device for this?
if this is possible how would i go about doing it with Azure's App GW / WAF?
if not any reccomenations on Virt Applicances.
Application Gateway now supports re-encrypt SSL traffic but passthrough is not supported.
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-ssl

Client certificate with Azure Application Gateway

I have two VMs with IIS that host my application with Azure Application Gateway distributing the traffic. The gateway is configured to offload SSL and everything is working fine.
However, I'd like to use client certificate authentication on one of the paths of the application - on NetScaler (or some other load balancer) I'd simply put serialized client certificate into HTTP Header (X-Client-Cert).
Can I do something similar with Application Gateway?
At the moment thats not possible, but is in the pipeline of product development of the azure product team.

Resources