Application Gateway Configuration - passthrough to server - azure

My application gateway/WAF is setup end to end ssl, does any one know if it can just passthrough requests to like an app server for a desktop client if the Public FQDN is resolving to the app gateway or would i need another device for this?
if this is possible how would i go about doing it with Azure's App GW / WAF?
if not any reccomenations on Virt Applicances.

Application Gateway now supports re-encrypt SSL traffic but passthrough is not supported.
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-ssl

Related

Expose TSL/SSL server on azure app service

I'm trying to deploy a custom server on an APP Service on Azure that only accepts requests on HTTPS instead HTTP.
My idea is deploying using the APP Service for avoid deploying on myself any SSL certificate.
I have found this on the documentation of the APP Service:
App Service terminates TLS/SSL at the front ends. That means that TLS/SSL requests never get to your app. You don't need to, and shouldn't implement any support for TLS/SSL into your app.
The front ends are located inside Azure data centers. If you use TLS/SSL with your app, your traffic across the Internet will always be safely encrypted.
So when I try to access via HTTPS on the 443 port the requests are being sent to port 80 and by HTTP. I tried to expose the port 443 directy using the config WEBSITES_PORT but result is that as that port doesn't accept HTTP request, the APP Service is not starting and keeps rebooting some time.
2022-09-14T16:05:22.335Z ERROR - Container xxxx_3_4a82d922 didn't respond to HTTP pings on port: 443, failing site start. See container logs for debugging.
My question is, is there any possibility to resend those HTTPS requests to the 443 as HTTPS on the APP Service in any way?
Thanks!
So your App Service essentially runs on a VM in isolated regions of Azure Data Centers often referred to as Stamps or Scale Units.
Unless you are on an ASE, your App Services live on these stamps which are multi tenant environments sharing a few incoming load balancers and the later is where TLS/SSL is terminated and is the entry point for your app. From the load balancer, the traffic is routed to a proxy (for linux apps) such as Nginx on a VM, over http and forwarded from there to the port exposed by your app service app(docker containers in linux). The defaults are 80 or 8080 but you could change this using the setting WEBSITES_PORT (note the use case here).
So you wouldn't really need end to end TLS given the above architecture. You could turn on the HTTPS only flag in your App Service->Configuration->General settings blade and this would redirect all http requests at the front end to https. This still would not result in end to end TLS.
TLS is often terminated outside the applications in the infrastructure (API gateway or Traffic Managers for instances) and this is by design and offer many benefits (less overhead, certificate management etc).

SSL pinning with Azure App gateway + APIM

Is there a way of achieving SSL pinning with Azure Application Gateway. I have some APIs deployed on AKS exposed through APIM. The APIM is private and the APIs are publicly exposed through Application Gateway. Is there a way of achieving SSL pinning in my custom android app in this scenario?
Application Gateway supports TLS termination at the gateway, after which traffic typically flows unencrypted to the backend servers.
1.Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and encrypted. Application gateway supports both TLS termination at the gateway as well as end to end TLS encryption.
2.End-to-end TLS allows you to encrypt and securely transmit sensitive data to the backend while you use Application Gateway's Layer-7 load-balancing features. These features include cookie-based session affinity, URL-based routing, support for routing based on sites, the ability to rewrite or inject X-Forwarded-* headers, and so on.
3.When configured with end-to-end TLS communication mode, Application Gateway terminates the TLS sessions at the gateway and decrypts user traffic. It then applies the configured rules to select an appropriate backend pool instance to route traffic to. Application Gateway then initiates a new TLS connection to the backend server and re-encrypts data using the backend server's public key certificate before transmitting the request to the backend. Any response from the web server goes through the same process back to the end user
Reference:
https://learn.microsoft.com/en-us/azure/application-gateway/end-to-end-ssl-portal

How to add HTTPS/SSL support to a microservice via Azure API management layer without app server having to support SSL?

I have a Azure APIM setup that receives the website request and forwards it to the respective microservice node. The website supports only http requests and now I wish to change this to HTTPS/SSL.
The app server on the microservice node does not support SSL, so I have couple of options:
On microservice node - change to another app server that supports SSL
OR On microservice node - Add a web server (nginx) which does the SSL and forwards the request to the app server (both web server and app server will be on the same node)
OR Configure SSL at the Azure API management layer
I prefer to use option 3 so that the microservice node is responsible only to serve requests and the HTTPS/SSL bit is handled by the Azure API management layer. This documentation seems to suggest how this can be achieved for both SSL termination at the gateway and end to end SSL. However, there are 2 problems:
This article is about application gateway - and I am looking for similar solution with API management (API gateway).
If I wish to use the end to end SSL mode, and not the SSL termination mode (which terminates SSL at gateway), then my app server will need to have SSL feature?
How to add end to end SSL support to a microservice via Azure API management layer without app server having to support SSL?
API Management (APIM) is acting as a reverse proxy - much like nginx in your example. APIM supports SSL by default and can do SSL termination.
APIM will also talk to your backend service without without any issues - all you need to do is select "http" for the backend instead of "https".

Azure AKS .NET Core with SignalR SSL Ingress

What's the recommended way to setup SSL/TLS with AKS for a .NET Core website that uses SignalR?
From what I can tell Azure Front Door doesn't work because it doesn't support Websockets.
And AKS doesn't have a service like AWS does for doing SSL/TLS.
Do I really have to use a ngnix proxy on top to make this work?
Also, looks like same problem for gRPC in .NET Core and Azure. Basically no way to hose gRPC on Azure at all right now.
Suggestions?
Application Gateway provides native support for WebSocket across all gateway sizes. There is no user-configurable setting to selectively enable or disable WebSocket support. see Overview of WebSocket support in Application Gateway.
With the application gateway, you can create listeners on port 80/443 to support WebSocket traffic and health probe supports for HTTP and HTTPS protocols. APP GW also support SSL offload and end to end SSL traffic.
There are two options for App GW conjunction with AKS. One is simply to put the APP GW in front of the internal or public Loadbalancers with AKS, see this blog. Another better one currently is using Application Gateway Ingress Controller. This is supported by Application Gateway v2 only.
For more references:
Expose a WebSocket server
How to configure Azure Application Gateway work with AKS via SSL.

Client certificate with Azure Application Gateway

I have two VMs with IIS that host my application with Azure Application Gateway distributing the traffic. The gateway is configured to offload SSL and everything is working fine.
However, I'd like to use client certificate authentication on one of the paths of the application - on NetScaler (or some other load balancer) I'd simply put serialized client certificate into HTTP Header (X-Client-Cert).
Can I do something similar with Application Gateway?
At the moment thats not possible, but is in the pipeline of product development of the azure product team.

Resources