1500bytes

Appearance

On this page

Overview of TLS with Application Gateway

Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and encrypted.

Application gateway supports both TLS termination at the gateway as well as end to end TLS encryption.

TLS termination

Application Gateway supports TLS termination at the gateway, after which traffic typically flows unencrypted to the backend servers. There are a number of advantages of doing TLS termination at the application gateway:

Improved performance

  • The biggest performance hit when doing TLS decryption is the initial handshake. To improve performance, the server doing the decryption caches TLS session IDs and manages TLS session tickets.
  • If this is done at the application gateway, all requests from the same client can use the cached values.
  • If it’s done on the backend servers, then each time the client’s requests go to a different server the client must reauthenticate. The use of TLS tickets can help mitigate this issue, but they aren't supported by all clients and can be difficult to configure and manage.

Better utilization of the backend servers

  • SSL/TLS processing is very CPU intensive, and is becoming more intensive as key sizes increase.
  • Removing this work from the backend servers allows them to focus on what they are most efficient at, delivering content.

Intelligent routing

  • By decrypting the traffic, the application gateway has access to the request content, such as headers, URI, and so on, and can use this data to route requests.

Certificate management

  • Certificates only need to be purchased and installed on the application gateway and not all backend servers. This saves both time and money.

To configure TLS termination, a TLS/SSL certificate must be added to the listener. This allows the Application Gateway to decrypt incoming traffic and encrypt response traffic to the client.

The certificate provided to the Application Gateway must be in Personal Information Exchange (PFX) format, which contains both the private and public keys. The supported PFX algorithms are listed at PFXImportCertStore function.

WARNING

The certificate on the listener requires the entire certificate chain to be uploaded (the root certificate from the CA, the intermediates and the leaf certificate) to establish the chain of trust.

INFO

Application gateway doesn't provide any capability to create a new certificate or send a certificate request to a certification authority.

For the TLS connection to work, you need to ensure that the TLS/SSL certificate meets the following conditions:

  • That the current date and time is within the "Valid from" and "Valid to" date range on the certificate.

  • That the certificate's "Common Name" (CN) matches the host header in the request. For example, if the client is making a request to https://www.contoso.com/, then the CN must be www.contoso.com.

Certificates supported for TLS termination

Application gateway supports the following types of certificates:

CA (Certificate Authority) certificate

  • A CA certificate is a digital certificate issued by a certificate authority (CA)

EV (Extended Validation) certificate

  • An EV certificate is a certificate that conforms to industry standard certificate guidelines.
  • This will turn the browser locator bar green and publish the company name as well.

Wildcard Certificate

  • This certificate supports any number of subdomains based on *.site.com, where your subdomain would replace the *.
  • It doesn’t, however, support site.com, so in case the users are accessing your website without typing the leading "www", the wildcard certificate won't cover that.

Self-Signed certificates Client browsers don't trust these certificates and will warn the user that the virtual service’s certificate isn't part of a trust chain. Self-signed certificates are good for testing or environments where administrators control the clients and can safely bypass the browser’s security alerts. Production workloads should never use self-signed certificates.

Size of the certificate

Maximum SSL certificate size

  • V1 SKU - 10 KB
  • V2 SKU - 16 KB

End-to-end TLS encryption

End-to-end TLS allows you to encrypt and securely transmit sensitive data to the backend while you use Application Gateway's Layer-7 load-balancing features. These features include

  • cookie-based session affinity
  • URL-based routing
  • support for routing based on sites
  • the ability to rewrite or inject X-Forwarded-* headers, and so on.

https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview