Application Gateway and encryption

 10 minutes

Encrypting your data while it's in transit is an important step toward securing your
applications. You can purchase certificates from a certificate authority and use them to
encrypt the messages that pass in and out of your servers. This prevents unauthorized
users from intercepting and examining the information in these messages while they're
being transmitted.

In the shipping portal, encryption is important because we're dealing with shipping
customer orders. If someone can access the transmitted data, they can view sensitive
information, such as customer details or financial account data.

To help secure this data, you can use Azure Application Gateway. It encrypts data that's
traversing the network from users to application servers.

Application Gateway and its benefits

Azure Application Gateway is an application delivery controller. It provides features such
as load balancing HTTP traffic, web application firewall, and support for SSL encryption
of your data. Application Gateway supports encrypting traffic between users and an
application gateway, and between application servers and an application gateway.

When you terminate the SSL connection at the application gateway, it offloads the CPU-
intensive SSL termination workload from your servers. Also, you don’t need to install
certificates and configure SSL on your servers.

If you need end-to-end encryption, Application Gateway can decrypt the traffic on the
gateway by using your private key and then re-encrypt again with the public key of the
service running in the backend pool.

Exposing your website or web application through the application gateway also means
that you don't directly connect your servers to the web. You're exposing only port 80 or
port 443 on the application gateway. Your web servers aren't directly accessible from
the internet, reducing the attack surface of your infrastructure.
Application Gateway components
Application Gateway has several components. The main parts for encryption are the
frontend port, the listener, and the backend pool.

The following image shows how incoming traffic from a client to Application Gateway
over SSL is decrypted and then re-encrypted when it's sent to a server in the backend
pool.

Frontend port and listener

Traffic enters the gateway through a frontend port. You can open many ports, and
Application Gateway can receive messages on any of these ports. A listener is the first
thing that your traffic meets when entering the gateway through a port. It's set up to
listen for a specific host name, and a specific port on a specific IP address. The listener
can use an SSL certificate to decrypt the traffic that enters the gateway. The listener then
uses a rule that you define to direct the incoming requests to a backend pool.

Backend pool

The backend pool contains your application servers. These servers might be virtual
machines, a virtual machine scale set, or applications running on Azure App Service.
Incoming requests can be load balanced across the servers in this pool. The backend
pool has an HTTP setting that references a certificate used to authenticate the backend
servers. The gateway re-encrypts the traffic by using this certificate before sending it to
one of your servers in the backend pool.

If you're using Azure App Service to host the backend application, you don't need to
install any certificates in Application Gateway to connect to the backend pool. All
communications are automatically encrypted. Application Gateway trusts the servers
because Azure manages them.

Check your knowledge

1. 
What are the benefits of using Application Gateway to help protect traffic sent to or
from your applications?

Application Gateway can implement an SSL connection with clients. There's no need to
encrypt data sent from the gateway to the servers running your application.
Application Gateway can implement an SSL connection with clients. Application Gateway
can also implement an SSL connection with the servers running your application.
Application Gateway doesn't require an SSL connection with clients. All encryption is
carried out by the connection with the servers running your application.
Application Gateway automatically protects the communications between clients and
the servers running your application. You don't need to do any additional configuration.
2. 

Which of the following can't be placed in the backend pool of an application gateway?

Azure App Service

Azure virtual machines
Azure Cosmos DB
Azure virtual machine scale sets

Configure backend pools for encryption

 10 minutes

The backend pool contains the servers that implement the application. Azure
Application Gateway routes requests to these servers, and can load balance the traffic
across these servers.

In the shipping portal, the application servers in the backend pool must use SSL to
encrypt the data that passes between Application Gateway and the servers in the
backend pool. Application Gateway uses an SSL certificate with a public key to encrypt
the data. The servers use the corresponding private key to decrypt the data as it's
received. In this unit, you'll see how to create the backend pool and install the necessary
certificates in Application Gateway to help protect the messages that are transmitted to
and from the backend pool.

Encryption from Application Gateway to the backend

pool
A backend pool can reference individual virtual machines, a virtual machine scale set,
the IP addresses of real computers (either on-premises or running remotely), or services
hosted through Azure App Service. All the servers in the backend pool should be
configured in the same way, including their security settings.

If the traffic directed to the backend pool is protected through SSL, each server in the
backend pool must provide a suitable certificate. For testing purposes, you can create a
self-signed certificate. In a production environment, you should always generate or
purchase a certificate that a certificate authority (CA) can authenticate.

There are currently two versions of Application Gateway: v1 and v2. They have similar
capabilities but have slightly different implementation details. The v2 version provides
additional features and performance improvements.

Certificate configuration in Application Gateway v1

Application Gateway v1 requires that you install the authentication certificate for the
servers in the gateway configuration. This certificate contains the public key that
Application Gateway can use to encrypt messages and authenticate your servers. You
can create this certificate by exporting it from the server. The application server uses the
corresponding private key for decrypting these messages. This private key should be
stored only on your application servers.

You can add an authentication certificate to Application Gateway by using the az

network application-gateway auth-cert create  command from the Azure CLI. The
following example illustrates the syntax of this command. The certificate should be in
CER (Claim, Evidence, and Reasoning) format.

Azure CLICopy
az network application-gateway auth-cert create \
--resource-group <resource group name> \
--gateway-name <application gateway name> \
--name <certificate name> \
--cert-file <path to authentication certificate>

Application Gateway provides other commands that you can use to list and manage
authentication certificates. For example:
  The az network application-gateway auth-cert list  command shows the
certificates that have been installed.
 The az network application-gateway auth-cert update  command can be
used to change the certificate.
 The az network application-gateway auth-cert delete  command removes a
certificate.

Certificate configuration in Application Gateway v2

Application Gateway v2 has slightly different authentication requirements. You provide

the certificate for the certificate authority that has authenticated the SSL certificate for
the servers in the backend pool. You add this certificate as a trusted root certificate to
Application Gateway. Use the az network application-gateway root-cert
create command from the Azure CLI.

Azure CLICopy
az network application-gateway root-cert create \
--resource-group <resource group name> \
--gateway-name <application gateway name> \
--name <certificate name> \
--cert-file <path to trusted CA certificate>

If your servers are using a self-signed certificate, add this certificate as the trusted root
certificate in Application Gateway.

HTTP settings
Application Gateway uses a rule to specify how to direct the messages that it receives on
its incoming port to the servers in the backend pool. If the servers are using SSL, you
must configure the rule to indicate:

 That the servers expect traffic through the HTTPS protocol.

 Which certificate to use to encrypt traffic and authenticate the connection
to a server.

You define this configuration information by using an HTTP setting.

Define an HTTP setting by using the az network application-gateway http-settings

create command in the Azure CLI. The following example shows the syntax for creating
a setting that routes traffic by using the HTTPS protocol to port 443 on the servers in
the backend pool. If you're using Application Gateway v1, the --auth-certs parameter is
the name of the authentication certificate that you added to Application Gateway
previously.

Azure CLICopy
az network application-gateway http-settings create \
--resource-group <resource group name> \
--gateway-name <application gateway name> \
--name <HTTPS settings name> \
--port 443 \
--protocol Https \
--auth-certs <certificate name>

If you're using Application Gateway v2, omit the --auth-certs parameter. Application

Gateway contacts the backend server. It verifies the authenticity of the certificate
presented by the server against the CAs specified by a list of trusted root certificates. If
there's no match, Application Gateway won't connect to the backend server and will fail
with an HTTP 502 (Bad Gateway) error.

Exercise - Configure backend pools for

encryption
 30 minutes

You want to implement end-to-end encryption for the shipping portal application.
Encrypting all data between users and servers will help ensure that no unauthorized user
can intercept and read the data.

In this unit, you'll set up the web application and the application gateway. Next, you'll
create some self-signed SSL certificates and enable encryption in your backend pool to
help secure the traffic from the application gateway to your servers.

The following image highlights the elements you'll configure in this exercise. You'll be
setting up an application gateway by using Azure Application Gateway v2.

Deploy a virtual machine and an application gateway

 1. Open the Azure Cloud Shell in your browser, and log in to the directory with
access to the subscription you want to create resources in.
2. Run the following command in the Cloud Shell to create a variable to store
your resource group name, and a resource group for your resources.
Replace <resource group name> with a name for your resource group,
and <location> with the Azure region you'd like to deploy your resources in.

Azure CLICopy
export rgName=<resource group name>

az group create --name $rgName --location <location>

3. In Azure Cloud Shell, run the following command to download the source
code for the shipping portal.

BashCopy
git clone https://github.com/MicrosoftDocs/mslearn-end-to-end-encryption-
with-app-gateway shippingportal

4. Move to the shippingportal folder.

BashCopy
cd shippingportal

5. Run the following setup script to create the virtual machine, certificates, and
application gateway.

BashCopy
bash setup-infra.sh
 Note

This script will take several minutes to finish.

Verify that the web server is configured correctly

1. Run the following command to display the URL of the web server that the
setup script created.

BashCopy
echo https://"$(az vm show \
--name webservervm1 \
 --resource-group $rgName \
--show-details \
--query [publicIps] \
--output tsv)"

2. In your web browser, go to the URL.

You'll likely receive a warning message from your browser, similar to the
example in the following image. This warning occurs because the web
server is configured through a self-signed certificate that can't be
authenticated.

The warning message can vary, depending on your browser. The example
image shows Microsoft Edge. Proceed to the website by selecting Go on to
the webpage or the equivalent. You should see the home page for the
shipping portal. This is a sample app to test that the server is configured
correctly.
Configure the backend pool for encryption
1. Run the following command to get the private IP address of the virtual
machine that's acting as the web server.

BashCopy
privateip="$(az vm list-ip-addresses \
--resource-group $rgName \
--name webservervm1 \
--query "[0].virtualMachine.network.privateIpAddresses[0]" \
--output tsv)"

2. Set up the backend pool for Application Gateway by using the private IP
address of the virtual machine.

Azure CLICopy
az network application-gateway address-pool create \
--resource-group $rgName \
--gateway-name gw-shipping \
 --name ap-backend \
--servers $privateip

3. Upload the certificate for the VM in the backend pool to Application

Gateway, as a trusted root certificate. This certificate was generated by the
setup script and is stored in the shipping-ssl.crt file.

Azure CLICopy
az network application-gateway root-cert create \
--resource-group $rgName \
--gateway-name gw-shipping \
--name shipping-root-cert \
--cert-file server-config/shipping-ssl.crt

4. Configure the HTTP settings to use the certificate.

Azure CLICopy
az network application-gateway http-settings create \
--resource-group $rgName \
--gateway-name gw-shipping \
--name https-settings \
--port 443 \
--protocol Https \
--host-name $privateip

5. Run the following commands to set the trusted certificate for the backend
pool to the certificate installed on the backend VM.

Azure CLICopy
export rgID="$(az group show --name $rgName --query id --output tsv)"

az network application-gateway http-settings update \

--resource-group $rgName \
--gateway-name gw-shipping \
--name https-settings \
--set trustedRootCertificates='[{"id":
"'$rgID'/providers/Microsoft.Network/applicationGateways/gw-shipping/
trustedRootCertificates/shipping-root-cert"}]'

You now have a virtual machine running the shipping portal site, and an application
gateway. You've configured SSL encryption between Application Gateway and your
application server.
Configure an Application Gateway
listener for encryption
 10 minutes

You have configured SSL for the connection between Azure Application Gateway and
the servers in the backend pool. For the shipping portal, you need full end-to-end
encryption. To do this, you'll also need to encrypt the messages that the client sends to
Application Gateway.

Create a frontend port

Application Gateway receives requests through one or more ports. If you're
communicating with the gateway over HTTPS, you should configure an SSL port.
Traditionally, HTTPS uses port 443. Use the az network application-gateway frontend-
port create command to create a new frontend port. The following example shows how
to create a frontend port for port 443:

Azure CLICopy
az network application-gateway frontend-port create \
--resource-group <resource group name> \
--gateway-name <application gateway name> \
--name <port name>
--port 443

Configure a listener
A listener waits for incoming traffic to the gateway on a specified frontend port. This
traffic is then routed to a server in the backend pool. If the frontend port uses SSL, you
need to indicate the certificate to use for decrypting incoming messages. The certificate
includes the private key.

You can add the certificate by using the az network application-gateway ssl-cert
create command. The certificate file should be in PFX format. Because this file contains
the private key, it will also likely be password protected. You provide the password in
the cert-password argument, as shown in the following example.

Azure CLICopy
az network application-gateway ssl-cert create \
--resource-group <resource group name> \
--gateway-name <application gateway name> \
--name <ssl certificate name> \
--cert-file <SSL certificate file (PFX)> \
--cert-password <password for certificate file>

You can then create the listener that receives requests from the frontend port and
decrypts them by using this certificate. Use the az network application-gateway http-
listener create command.

Azure CLICopy
az network application-gateway http-listener create \
--resource-group <resource group name> \
--gateway-name <application gateway name> \
--name <listener name> \
--frontend-port <frontend port name> \
--ssl-cert <ssl certificate name>

Define a rule to send HTTPS requests to the servers

The final step is to create a rule that directs the messages received through the listener
to the servers in the backend pool. The messages received from the frontend port are
decrypted through the SSL certificate specified for the listener. You need to re-encrypt
these messages by using the client-side certificate for the servers in the backend pool.
You define this information in the rule.

The following example shows how to use the az network application-gateway rule
create command to create a rule that connects a listener to a backend pool. The --http-
settings parameter specified the HTTP settings that reference the client-side certificate
for the servers. You created these settings in the previous unit.

Azure CLICopy
az network application-gateway rule create \
--resource-group <resource group name> \
--gateway-name <application gateway name> \
--name <rule name> \
--address-pool <backend pool> \
--http-listener <listener name> \
--http-settings <HTTPS settings name> \
--rule-type Basic
You should now have complete end-to-end encryption for messages routed through
Application Gateway. Clients use the SSL certificate for Application Gateway to send
messages. Application Gateway decrypts these messages by using this SSL certificate,
and then re-encrypts the messages by using the certificate for the servers in the
backend pool.

Exercise - Configure an Application

Gateway listener for encryption
 10 minutes

Now that you've configured the certificates for Azure Application Gateway and the
backend pool, you can create a listener to handle incoming requests. The listener will
wait for messages, decrypt them by using the private key, and then route these
messages to the backend pool.

In this unit, you'll set up the listener with port 443 and with the SSL certificate that you
created in the first exercise. The following image highlights the elements you'll set up in
this exercise.

Configure the listener

1. Run the following command to create a new frontend port (443) for the
gateway.

Azure CLICopy
az network application-gateway frontend-port create \
--resource-group $rgName \
--gateway-name gw-shipping \
--name https-port \
--port 443

2. Upload the SSL certificate for Application Gateway. The setup script
generated this certificate in the previous exercise. The certificate is stored in
the appgateway.pfx file in the server-config folder.
 The password generated for the .pfx file is somepassword. Don't change it in
the following command.

Azure CLICopy
az network application-gateway ssl-cert create \
--resource-group $rgName \
--gateway-name gw-shipping \
--name appgateway-cert \
--cert-file server-config/appgateway.pfx \
--cert-password somepassword

3. Run the following command to create a new listener that accepts incoming
traffic on port 443. The listener uses the certificate appgateway-cert to
decrypt messages.

Azure CLICopy
az network application-gateway http-listener create \
--resource-group $rgName \
--gateway-name gw-shipping \
--name https-listener \
--frontend-port https-port \
--ssl-cert appgateway-cert

4. Run the following command to create a rule that directs traffic received
through the new listener to the backend pool. This command might take a
minute or two to finish.

Azure CLICopy
az network application-gateway rule create \
--resource-group $rgName \
--gateway-name gw-shipping \
--name https-rule \
--address-pool ap-backend \
--http-listener https-listener \
--http-settings https-settings \
--rule-type Basic

Test the application gateway

1. Retrieve the public URL of the application gateway.

BashCopy
 echo https://$(az network public-ip show \
--resource-group $rgName \
--name appgwipaddr \
--query ipAddress \
--output tsv)

2. Go to the URL in a web browser.

As before, your browser might display a warning message that says the SSL
connection is using an unauthenticated certificate. This is because the
certificate is self-signed. You can ignore this warning and continue to the
website.

3. Verify that the home page for the shipping portal appears.

You have now configured the listener to listen on port 443 and decrypt the data that's
ready to be passed to the backend pool. The data is re-encrypted when it's transmitted
from the gateway to a server in the backend pool. With this listener in place, you have
set up end-to-end encryption for the shipping portal.

Summary
 2 minutes

You've now used Azure Application Gateway to encrypt and help secure your network
traffic between users and your web application. You enabled SSL encryption between
users and Application Gateway to encrypt traffic over the internet.

You also enabled SSL encryption for traffic between Application Gateway and your web
services. This encryption ensures that the web services are valid to communicate with.
You can now use the skills you've learned in your own environment to help secure HTTP
traffic.

Clean up
The sandbox automatically cleans up your resources when you're finished with this
module.

When you're working in your own subscription, it's a good idea at the end of a project
to identify whether you still need the resources you created. Resources left running can
cost you money. You can delete resources individually or delete the resource group to
delete the entire set of resources.

Learn more
To learn more about Azure Application Gateway, see the following articles:

 Configure end to end SSL by using Application Gateway with PowerShell

 SSL termination and end to end SSL with Application Gateway
 Application gateway components