Certificate Management for Azure Application Gateway using Azure Key Vault
Nirav Shah
FinOps | Streamlining Cloud Costs |Terraform Specialist | Cloud & IAC Architect with Expertise in Azure, GCP, AWS | Driving Innovation in Cloud Infrastructure Management | Passionate About Sustainable Solutions
Hi all, today we will see how we can consume Azure key vault for certificate management with Azure Application gateway.
There is a very traditional way we all use in configuring an SSL offload on application gateway by just uploading PFX certificate to App gateway. But this traditional approach becomes difficult when
- Certificates are uploaded manually
- No Central certificate stores
- Disaster recovery
- Reconfiguration of application gateway
- Secret Management
- No auto management of Application of gateway
In any of the above scenarios, we start searching for either certificate, keys, how what and when was configured. Let’s just assume that we have an automated way for configuring our application gateway, in that case it would be so easy if our certificates are kept in one place and just consumed from there.
Some might come up with scenarios storing it in VCS repo's and keeping secrets in some vaulting solution. But with Azure Keyvault we have one of the best solutions. Application gateway can read Azure Keyvault where our certificates and secrets are stored.
Application Gateway v2 SKU supports integration with Key Vault for certificates.
There are benefits of using Key Vault for SSL certificate setting of Application Gateway and reducing the risk when we want to fetch and renew certificates and keys.
Microsoft Official Key Vault and Application GW integration documentation
Pre-requisites
- Azure Key-Vault with managed identity Get secrets permissions
- User Managed Identity assigned to Azure Gateway
- Azure Application Gateway
- PFX from your favorite provider
Below Code will assign Keyvault to the Application Gateway.
# AppG $appgw = Get-AzApplicationGateway -Name examplegw -ResourceGroupName examplerg # Assigning Identity Set-AzApplicationGatewayIdentity -ApplicationGateway $appgw -UserAssignedIdentityId "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/MyResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/exampleuid" # Fetch Secrets from Vault $secret = Get-AzKeyVaultSecret -VaultName "examplevault" -Name "sslexample" $secretId = $secret.Id # Specify the secret ID from key vault Add-AzApplicationGatewaySslCertificate -KeyVaultSecretId $secretId -ApplicationGateway $appgw -Name $secret.Name # Commit the changes to the Application Gateway Set-AzApplicationGateway -ApplicationGateway $appgwW
Post configuring above steps in all future steps while configuring the application gateway, we can consume any certificates that are stored in Key Vault.
- While configuring the Listener on Azure Application Gateway.
- Create a Listener Name
- Select the Front-End IP
- Port in ideal scenario 443 as its for SSL offloading
- Protocol Https
- In next step as we are configuring new listener, Select Create New Certificate
- Now there are two option Upload and other is select from Key Vault, we will consume Keyvault option
- Select the Managed Identity
- Select the Keyvault where certificates are uploaded
- Certificate Name
- Other setting as Multi and with error Page.
Steps 7 to 9 are the one where we bring change, and this gives us stability in managing certificates in Key vault.
Note: The managed identity needs to be assigned permissions to get secrets from Key Vault.
Now as key Vault is a PAAS solution the entire management remains with Azure and in case of disaster we just need the template to deploy Application Gateway, Keyvault will provide all secrets and certificates. This relives Enterprises from managing certificates at their end. Even in cases where we want certificates from DigiCert and GlobalSign then we can even generate certificate from Keyvault.
We can even trigger emails when the certificates are expiring to support teams and respective owners.
With the Integrated CA authority, we can even renew the certificate in place.
This is how we can use, manage, and simplify certificate management with Key Vault especially with Azure Application Gateway.
Hope you all like this.
Technical Architect at Tata Consultancy Services - Cloud Technology (Azure, AWS & GCP)
2yNice one Nirav!!