HTTPS/SSL certificate in Azure VM endpoints - azure

I am new in Windows Azure, previously I have used Amazon Web Services.
In AWS you can set a SSL certificate for a Load Balancer and use it in listeners, so you don't need to worry about that in the web server.
Is it possible to set a SSL certificate for an Azure VM endpoint?

Azure Load Balancer is a layer 4 device, so it can't do SSL termination.
You can use Azure Application Gateway which is a Layer 7 Load Balancer, and it can do SSL termination. see here: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-portal
EDIT: I am trying to understand if you are in "classic" VMs or not. Reading your the comments to your question, you ask if Azure VMs are in "Cloud Services" which implies you are in "classic", but it is unclear if you ask this because you have read the wrong doc, or this is the implementation you have. Anyway is it very recommended you get off "classic" and work with modern VMs. Especially for new deployments.

Loadbalancer comparation
AWS
Application Load Balancer - Layer 7 - HTTP, HTTPS
Network Load Balancer - layer 4 - TCP, UDP, TLS
Classic - Layer 4/7 - HTTP/HTTPS(layer 7), TCP, SSL/TLS(layer 4)
Azure
Load Balancer - Layer 4 - TCP and UDP
Application Gateway - Layer 7 - HTTP, HTTPS(support SSL)

Yes you can
Please check the documentation here:
http://azure.microsoft.com/en-us/documentation/articles/cloud-services-configure-ssl-certificate/

The Azure terminology is a little different from that of AWS. You can use the Azure Traffic Manager to offload TLS/SSL:
http://www.hanselman.com/blog/CloudPowerHowToScaleAzureWebsitesGloballyWithTrafficManager.aspx
(The Azure Load-Balanced Sets use round-robin DNS balancing, with VMs directly visible, whereas the Traffic Manager hides VMs behind the VIP)

Related

How do I secure traffic between my VM and Application Gateway?

I have a pretty simple setup with an Application Gateway (AG), that sends traffic to a virtual machine running Ubuntu. The AG is loaded with an SSL certificate. The VM is set up to only allow incoming traffic from the AG, but it's an HTTP connection. This works, but I want to secure the traffic between my VM and AG. I can't find any relevant settings or documentation for this however.
How do I encrypt traffic between an Application Gateway and Virtual Machine? I considered a private link to at least force traffic over the Azure network, but private links only support PaaS products, where a VM is IaaS.
I assume your use the private IP of your VM in the backend settings of your Application Gateway. If so, this means that the traffic stays within your VNET and thus on the Microsoft network and also within the same region. You do not not need something like Private Link here.
So the only thing you could potentially do is to SSL-enable the endpoint on the VM and use an encrypted HTTPS connection between AppGW and your VM.
you have to do the same thing as with the api-gateway, load a certificate into de service deployed in the virtual machine and expose the API of this service using SSL protocol so the communication will be encrypted using that certificate.
The way to do it is different depending on which technology you are using to deploy your service. For example, if you are using spring-boot you can see how to do it here
https://www.baeldung.com/spring-boot-https-self-signed-certificate
However, you can use mutual-tls if you want that the only service that could connect to your VM's deployed service is the AG.
https://developers.cloudflare.com/access/service-auth/mtls

Alternative usage of WAF with Load Balancer since WAF doesn't support?

In my application, I needed IPv6 support for WAF. Since IPv6 yet not supported by the WAF can I use a load balancer connected to the WAF as the following diagram (because of IPv6 supports Load Balancer)? Is this a good design?
You can not use the Azure load balancer to connect to an application gateway since Azure load balancer only works with VM, VMS, or availability sets as its backend. Have a look at backend pool endpoints here.
More info: Overview of IPv6 for Azure Load Balancer

How to redirect traffic hosted on an azure endpoint (DNS/static IP) to different external IP address

Question: How do I host an endpoint in azure which allows me to redirect internet traffic at will between azure and aws services?
I am hosting two kubernetes clusters - one in Azure and the other in AWS. I want to be able to:
1. redirect the traffic at will to either aws or azure, whilst retaining the public dns endpoint.
2. fail over manually [and pref automatically too] to the aws cluster. What is the best way to host the endpoint in azure?
Requirements:
The traffic needs to be redirected immediately - no caching issues and stale loads!
Ability to configure failover - i.e. specify that Azure is hot and AWS is the failover service - the traffic should be automatically redirected as soon as Azure goes down.
I have looked at Traffic Manager, Load Balancers and Application Gateway. Not sure which one (if any) of these is best.
traffic manager wont work for you, since its a dns service, so caching will happen (admittedly its the best solution if you set dns cache to 5 seconds or something). application gateway allows you to specify an ip address as an endpoint, load balancers only work when attached to vms inside azure. But application gateways dont allow to failover at will. you would need to block the probe to failover.
Azure Front Door might be the solution for you (like the other answer mentions)
You can have a look into Azure Front Door Service for your usecase.
Look into this https://learn.microsoft.com/en-gb/azure/frontdoor/front-door-overview

Traffic Management Solution for Azure App Services not relying on DNS

At the moment, we are using Azure Traffic Management to provide Load Balancing and High Availability across multiple regions for Azure App Services deployed on App Service Environments. We have reduced the Traffic Manager TTL to 30 secs. However, some of the clients have DNS cache (4 hours TTL) which we cannot control and this impacts the availability of our solution.
What would be a good alternative to provide HA and LB to Azure App Services which does not rely on DNS? We have seen on the documentation that MS suggests third-party solutions, but are there any particular suggestions?
Thanks,
As you point out, Azure Traffic Manager operates in the DNS layer. If you are looking at managing multiple endpoints for high availability and load balancing outside of DNS layer, I would recommend considering Azure Application Gateway (for HTTP workloads) and / or Azure Load Balancer (for any layer 4 (TCP, UDP) load balancing).
You may also find this article on Combining Load Balancers in Azure relevant for your use case

Use of SSL in Azure internal load balancer scenario

We have a internal load balancer deployed in Azure, with 4 VM currently in the same load balancer set. We have a software deployed as IaaS, they essentially running a windows service taking traffic from a pre-configured port (not 443)
I am trying to figure out how this will work, to my understanding, internal load balancer does not offload SSL, so my call will be end to end from client to the VM (could be any of the 4), I can configure the software to listen for a secure socket on same load balancer ports, but how should I configure my client to call 4 servers, which certificate to use in this case?
And, what if we have more VM adding to the picture?
Azure Load Balancer (including the Internal one) operates at the network layer, so it does not do SSL offloading or things like cookie-based affinity. If that's what you need, you may look into something like Azure Application Gateway or third-party layer 7 load balancers (Nginx Plus, Barracuda WAF, etc).
In your case, with the standard ILB, all requests will be routed to one of the 4 VMs, and all of them will need to have the SSL certificate installed (the same one in all VMs). SSL certificates, indeed, are bound to a specific hostname, but not a specific machine: if you need to load balance, you're free to re-use the same certificate (and private key) on every instance, as long as they all respond to the same hostname publicly.
Azure Load balancer does not provide SSL offloading. You could leverage KEMP LoadMaster-for-Azure and configure SSL offloading, by uploading certificate on the loadMaster and allow non ssl or SSL traffic to the 4 internal VMs. You could find the details in the below link
https://kemptechnologies.com/solutions/microsoft-load-balancing/loadmaster-azure/
Regards,
Krishna

Resources