Client certificate with Azure Application Gateway - azure

I have two VMs with IIS that host my application with Azure Application Gateway distributing the traffic. The gateway is configured to offload SSL and everything is working fine.
However, I'd like to use client certificate authentication on one of the paths of the application - on NetScaler (or some other load balancer) I'd simply put serialized client certificate into HTTP Header (X-Client-Cert).
Can I do something similar with Application Gateway?

At the moment thats not possible, but is in the pipeline of product development of the azure product team.

Related

How to configure Service Fabric to support only HTTPS connections but not http?

I have Azure service fabric cluster created on local test environment & deployed microservice based web apis, it working well without any issues. But would like to enable HTTPS traffic on cluster level and want to stop HTTP requests
https://mytestsf.westus.cloudapp.azure.com:8800/ => expecting this one to work
http://mytestsf.westus.cloudapp.azure.com:8800/ => expecting this one NOT to work
Is Support only for HTTPS traffic can be done on Azure service fabric level? if yes, how?
P.S: This service fabric cluster not having any external network component like traffic manager or application gateway in front of it as it is local test environment.
Follow the documentation - add an HTTPS endpoint using Kestrel - Azure Service Fabric.

How to add HTTPS/SSL support to a microservice via Azure API management layer without app server having to support SSL?

I have a Azure APIM setup that receives the website request and forwards it to the respective microservice node. The website supports only http requests and now I wish to change this to HTTPS/SSL.
The app server on the microservice node does not support SSL, so I have couple of options:
On microservice node - change to another app server that supports SSL
OR On microservice node - Add a web server (nginx) which does the SSL and forwards the request to the app server (both web server and app server will be on the same node)
OR Configure SSL at the Azure API management layer
I prefer to use option 3 so that the microservice node is responsible only to serve requests and the HTTPS/SSL bit is handled by the Azure API management layer. This documentation seems to suggest how this can be achieved for both SSL termination at the gateway and end to end SSL. However, there are 2 problems:
This article is about application gateway - and I am looking for similar solution with API management (API gateway).
If I wish to use the end to end SSL mode, and not the SSL termination mode (which terminates SSL at gateway), then my app server will need to have SSL feature?
How to add end to end SSL support to a microservice via Azure API management layer without app server having to support SSL?
API Management (APIM) is acting as a reverse proxy - much like nginx in your example. APIM supports SSL by default and can do SSL termination.
APIM will also talk to your backend service without without any issues - all you need to do is select "http" for the backend instead of "https".

Azure - Connecting multiple app service containers with custom domain and ssl

I am getting to the point of my project where I am ready to deploy it online with my custom domain via Azure once I make the upgrade from my Free Subscription.
So a little context, I have 1 web app service and 4 api services and each one is hosted in a separate app service such as:
www.sitename.azurewebsites.net
www.sitename-api1.azurewebsites.net
www.sitename-api2.azurewebsites.net
www.sitename-api3.azurewebsites.net
www.sitename-api4.azurewebsites.net
And the above web app communicates to all 4 api's and some api's may or may not talk to another. (Would have loved an application gateway so hopefully I'll be changing this architecture later down the road).
So as I get ready to associate my domain to the services, the web container seems pretty straight forward to me as it just becomes www.sitename.com, but I am a little confused about the api services. The way I am thinking about this is that each api service will be in it's own subdomain, such as:
www.api1.sitename.net
www.api2.sitename.net
www.api3.sitename.net
www.api4.sitename.net
where I believe I can register my SSL and domain to each app service somehow, but this leaves me with a few questions.
Do I host each api in a subdomain using the same domain as the web
app, or is there a different way preferred like where I host them
all on the same domain with different exposed ports per API and web
listening 80/443, or maybe just use the IP address of the api app
service and allow www.sitename.com as the origin for CORS?
I am assuming that since I am associating my SSL cert to the web
service, I will need to do the following on the api services?
Would it be better (and still affordable) if I just had a VNET
associated to the app services and the domain only registered with
the web app?
Any insight into this would be greatly appreciated on how I can establish communication between my app services with my custom domain and SSL as I am fairly new to this part of the stack, but excited about learning!
As I known, on Azure cloud, there are two services can help to manage your APIs deployed on multiple app service containers: API Management and Application Gateway.
The Premium tier of API Management has the feature for multiple custom domain names, please see the offical document Feature-based comparison of the Azure API Management tiers as the figure below.
You can refer to the quick start tutorial of Create a new Azure API Management service instance and other related documents to kown how to.
"Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications." said in the introduce What is Azure Application Gateway?. And as the figure of its architecture below, "With Application Gateway, you can make routing decisions based on additional attributes of an HTTP request, such as URI path or host headers. For example, you can route traffic based on the incoming URL. So if /images is in the incoming URL, you can route traffic to a specific set of servers (known as a pool) configured for images. If /video is in the URL, that traffic is routed to another pool that's optimized for videos."
I recommended to use Azure Application Gateway which be a good choice to manage multiple app services and expose the unified urls of APIs.

How to create https endpoints for Azure Service Fabric on local machine using HttpSys?

I'm trying to create https endpoints for three apps in a cluster of Service Fabric. Because I have more than one app I use HttpSys. So far I worked only on http but requests from frontend are from a secure transmission(https) so I have to put my backend on https.
I tried to follow this 1 but it doesn't work with WebListener so I move the implementation to HttpSys.
I don't have any errors and my cluster is working well but when I try to access my https endpoint I get nothing.

Service Fabric, which certificate do I use where?

I'm settings up a Service Fabric cluster in Azure and want to run a web API (using .NET Core) over https. I want to use my CA-signed wildcard (*.mydomain.com) certificate to access this API. But I'm a bit confused as to where I use it when I create the cluster, is it the cluster or client certificate? I'm thinking the client certificate, but the documentation states that this is for admin tools (i.e. the Explorer), so I'm unsure on how to proceed.
And yes I've read a ton of posts and resources, but I still find this confusing.
There are three certificate types. Here is a summary overview of them.
The Cluster certificate is used for the Explorer endpoint and is deployed to the primary nodes. So if you add your *.mydomain.com wildcard cert there, and CNAME something (e.g. manage.mydomain.com) to [yourcluster].[region].cloudapp.azure.com, then when you hit your management endpoint that cert will be what will be presented to the web browser.
The Reverse Proxy SSL certificate is deployed to each of the nodes and is used when using the built-in reverse proxy feature of Service Fabric. In this case this is what is being used when you hit https://api.mydomain.com/YourAppName/YourService/Resource (where api.mydomain.com is another CNAME to yourcluster.region.cloudapp.azure.com). This is used as an alternative to running your own reverse proxy or other offloading layer (Application Gateway, IIS, nginx, API Management, etc).
The Client certificates are used in place of Azure Active Directory authentication to the management endpoint. So instead of managing users in AAD (with the _Cluster AAD application and the Admin / Read-Only roles), you manage access by handing out management certificates (Admin or Read-Only) to your trusted users.
You can also have secondaries these certificates to use in certificate rollover situations.
The way we are using it is to have Application gateway configured in front of service fabric cluster, and web certificate is uploaded to Application Gateway (and dns is pointing to application gateway) In that scenario SSL is terminated at application gateway.
Another possibility is to terminate SSL at each node in service fabric cluster, in this scenario you would need to ensure that certificate gets deployed to each of the nodes.
As for cluster vs client certificate dilemma, I am also confused, but I think the answer is neither. Client certificate is not for sure since this certificate is used to identify you as admin when running service fabric admin ps scripts.
I do not think it is cluster certificate either, here is what MS docs say what it is used for:
Cluster and server certificate is required to secure a cluster and prevent unauthorized access to it. It provides cluster security in two ways:
Cluster authentication: Authenticates node-to-node communication for cluster federation. Only nodes that can prove their identity with this certificate can join the cluster.
Server authentication: Authenticates the cluster management endpoints to a management client, so that the management client knows it is talking to the real cluster. This certificate also provides an SSL for the HTTPS management API and for Service Fabric Explorer over HTTPS.
as far as I am reading into it, this certificate is used for internal cluster authentication, and it is also used so your management tools can be asured that they are working with right cluster.

Resources