Professional Documents
Culture Documents
10 minutes
Encrypting your data while it's in transit is an important step toward securing your
applications. You can purchase certificates from a certificate authority and use them to
encrypt the messages that pass in and out of your servers. This prevents unauthorized
users from intercepting and examining the information in these messages while they're
being transmitted.
In the shipping portal, encryption is important because we're dealing with shipping
customer orders. If someone can access the transmitted data, they can view sensitive
information, such as customer details or financial account data.
To help secure this data, you can use Azure Application Gateway. It encrypts data that's
traversing the network from users to application servers.
When you terminate the SSL connection at the application gateway, it offloads the CPU-
intensive SSL termination workload from your servers. Also, you don’t need to install
certificates and configure SSL on your servers.
If you need end-to-end encryption, Application Gateway can decrypt the traffic on the
gateway by using your private key and then re-encrypt again with the public key of the
service running in the backend pool.
Exposing your website or web application through the application gateway also means
that you don't directly connect your servers to the web. You're exposing only port 80 or
port 443 on the application gateway. Your web servers aren't directly accessible from
the internet, reducing the attack surface of your infrastructure.
Application Gateway components
Application Gateway has several components. The main parts for encryption are the
frontend port, the listener, and the backend pool.
The following image shows how incoming traffic from a client to Application Gateway
over SSL is decrypted and then re-encrypted when it's sent to a server in the backend
pool.
Traffic enters the gateway through a frontend port. You can open many ports, and
Application Gateway can receive messages on any of these ports. A listener is the first
thing that your traffic meets when entering the gateway through a port. It's set up to
listen for a specific host name, and a specific port on a specific IP address. The listener
can use an SSL certificate to decrypt the traffic that enters the gateway. The listener then
uses a rule that you define to direct the incoming requests to a backend pool.
Backend pool
The backend pool contains your application servers. These servers might be virtual
machines, a virtual machine scale set, or applications running on Azure App Service.
Incoming requests can be load balanced across the servers in this pool. The backend
pool has an HTTP setting that references a certificate used to authenticate the backend
servers. The gateway re-encrypts the traffic by using this certificate before sending it to
one of your servers in the backend pool.
If you're using Azure App Service to host the backend application, you don't need to
install any certificates in Application Gateway to connect to the backend pool. All
communications are automatically encrypted. Application Gateway trusts the servers
because Azure manages them.
Application Gateway can implement an SSL connection with clients. There's no need to
encrypt data sent from the gateway to the servers running your application.
Application Gateway can implement an SSL connection with clients. Application Gateway
can also implement an SSL connection with the servers running your application.
Application Gateway doesn't require an SSL connection with clients. All encryption is
carried out by the connection with the servers running your application.
Application Gateway automatically protects the communications between clients and
the servers running your application. You don't need to do any additional configuration.
2.
Which of the following can't be placed in the backend pool of an application gateway?
The backend pool contains the servers that implement the application. Azure
Application Gateway routes requests to these servers, and can load balance the traffic
across these servers.
In the shipping portal, the application servers in the backend pool must use SSL to
encrypt the data that passes between Application Gateway and the servers in the
backend pool. Application Gateway uses an SSL certificate with a public key to encrypt
the data. The servers use the corresponding private key to decrypt the data as it's
received. In this unit, you'll see how to create the backend pool and install the necessary
certificates in Application Gateway to help protect the messages that are transmitted to
and from the backend pool.
If the traffic directed to the backend pool is protected through SSL, each server in the
backend pool must provide a suitable certificate. For testing purposes, you can create a
self-signed certificate. In a production environment, you should always generate or
purchase a certificate that a certificate authority (CA) can authenticate.
There are currently two versions of Application Gateway: v1 and v2. They have similar
capabilities but have slightly different implementation details. The v2 version provides
additional features and performance improvements.
Application Gateway v1 requires that you install the authentication certificate for the
servers in the gateway configuration. This certificate contains the public key that
Application Gateway can use to encrypt messages and authenticate your servers. You
can create this certificate by exporting it from the server. The application server uses the
corresponding private key for decrypting these messages. This private key should be
stored only on your application servers.
Azure CLICopy
az network application-gateway auth-cert create \
--resource-group <resource group name> \
--gateway-name <application gateway name> \
--name <certificate name> \
--cert-file <path to authentication certificate>
Application Gateway provides other commands that you can use to list and manage
authentication certificates. For example:
The az network application-gateway auth-cert list command shows the
certificates that have been installed.
The az network application-gateway auth-cert update command can be
used to change the certificate.
The az network application-gateway auth-cert delete command removes a
certificate.
Azure CLICopy
az network application-gateway root-cert create \
--resource-group <resource group name> \
--gateway-name <application gateway name> \
--name <certificate name> \
--cert-file <path to trusted CA certificate>
If your servers are using a self-signed certificate, add this certificate as the trusted root
certificate in Application Gateway.
HTTP settings
Application Gateway uses a rule to specify how to direct the messages that it receives on
its incoming port to the servers in the backend pool. If the servers are using SSL, you
must configure the rule to indicate:
Azure CLICopy
az network application-gateway http-settings create \
--resource-group <resource group name> \
--gateway-name <application gateway name> \
--name <HTTPS settings name> \
--port 443 \
--protocol Https \
--auth-certs <certificate name>
You want to implement end-to-end encryption for the shipping portal application.
Encrypting all data between users and servers will help ensure that no unauthorized user
can intercept and read the data.
In this unit, you'll set up the web application and the application gateway. Next, you'll
create some self-signed SSL certificates and enable encryption in your backend pool to
help secure the traffic from the application gateway to your servers.
The following image highlights the elements you'll configure in this exercise. You'll be
setting up an application gateway by using Azure Application Gateway v2.
Azure CLICopy
export rgName=<resource group name>
3. In Azure Cloud Shell, run the following command to download the source
code for the shipping portal.
BashCopy
git clone https://github.com/MicrosoftDocs/mslearn-end-to-end-encryption-
with-app-gateway shippingportal
4. Move to the shippingportal folder.
BashCopy
cd shippingportal
5. Run the following setup script to create the virtual machine, certificates, and
application gateway.
BashCopy
bash setup-infra.sh
Note
BashCopy
echo https://"$(az vm show \
--name webservervm1 \
--resource-group $rgName \
--show-details \
--query [publicIps] \
--output tsv)"
You'll likely receive a warning message from your browser, similar to the
example in the following image. This warning occurs because the web
server is configured through a self-signed certificate that can't be
authenticated.
The warning message can vary, depending on your browser. The example
image shows Microsoft Edge. Proceed to the website by selecting Go on to
the webpage or the equivalent. You should see the home page for the
shipping portal. This is a sample app to test that the server is configured
correctly.
Configure the backend pool for encryption
1. Run the following command to get the private IP address of the virtual
machine that's acting as the web server.
BashCopy
privateip="$(az vm list-ip-addresses \
--resource-group $rgName \
--name webservervm1 \
--query "[0].virtualMachine.network.privateIpAddresses[0]" \
--output tsv)"
2. Set up the backend pool for Application Gateway by using the private IP
address of the virtual machine.
Azure CLICopy
az network application-gateway address-pool create \
--resource-group $rgName \
--gateway-name gw-shipping \
--name ap-backend \
--servers $privateip
Azure CLICopy
az network application-gateway root-cert create \
--resource-group $rgName \
--gateway-name gw-shipping \
--name shipping-root-cert \
--cert-file server-config/shipping-ssl.crt
Azure CLICopy
az network application-gateway http-settings create \
--resource-group $rgName \
--gateway-name gw-shipping \
--name https-settings \
--port 443 \
--protocol Https \
--host-name $privateip
5. Run the following commands to set the trusted certificate for the backend
pool to the certificate installed on the backend VM.
Azure CLICopy
export rgID="$(az group show --name $rgName --query id --output tsv)"
You now have a virtual machine running the shipping portal site, and an application
gateway. You've configured SSL encryption between Application Gateway and your
application server.
Configure an Application Gateway
listener for encryption
10 minutes
You have configured SSL for the connection between Azure Application Gateway and
the servers in the backend pool. For the shipping portal, you need full end-to-end
encryption. To do this, you'll also need to encrypt the messages that the client sends to
Application Gateway.
Azure CLICopy
az network application-gateway frontend-port create \
--resource-group <resource group name> \
--gateway-name <application gateway name> \
--name <port name>
--port 443
Configure a listener
A listener waits for incoming traffic to the gateway on a specified frontend port. This
traffic is then routed to a server in the backend pool. If the frontend port uses SSL, you
need to indicate the certificate to use for decrypting incoming messages. The certificate
includes the private key.
You can add the certificate by using the az network application-gateway ssl-cert
create command. The certificate file should be in PFX format. Because this file contains
the private key, it will also likely be password protected. You provide the password in
the cert-password argument, as shown in the following example.
Azure CLICopy
az network application-gateway ssl-cert create \
--resource-group <resource group name> \
--gateway-name <application gateway name> \
--name <ssl certificate name> \
--cert-file <SSL certificate file (PFX)> \
--cert-password <password for certificate file>
You can then create the listener that receives requests from the frontend port and
decrypts them by using this certificate. Use the az network application-gateway http-
listener create command.
Azure CLICopy
az network application-gateway http-listener create \
--resource-group <resource group name> \
--gateway-name <application gateway name> \
--name <listener name> \
--frontend-port <frontend port name> \
--ssl-cert <ssl certificate name>
The following example shows how to use the az network application-gateway rule
create command to create a rule that connects a listener to a backend pool. The --http-
settings parameter specified the HTTP settings that reference the client-side certificate
for the servers. You created these settings in the previous unit.
Azure CLICopy
az network application-gateway rule create \
--resource-group <resource group name> \
--gateway-name <application gateway name> \
--name <rule name> \
--address-pool <backend pool> \
--http-listener <listener name> \
--http-settings <HTTPS settings name> \
--rule-type Basic
You should now have complete end-to-end encryption for messages routed through
Application Gateway. Clients use the SSL certificate for Application Gateway to send
messages. Application Gateway decrypts these messages by using this SSL certificate,
and then re-encrypts the messages by using the certificate for the servers in the
backend pool.
Now that you've configured the certificates for Azure Application Gateway and the
backend pool, you can create a listener to handle incoming requests. The listener will
wait for messages, decrypt them by using the private key, and then route these
messages to the backend pool.
In this unit, you'll set up the listener with port 443 and with the SSL certificate that you
created in the first exercise. The following image highlights the elements you'll set up in
this exercise.
Azure CLICopy
az network application-gateway frontend-port create \
--resource-group $rgName \
--gateway-name gw-shipping \
--name https-port \
--port 443
2. Upload the SSL certificate for Application Gateway. The setup script
generated this certificate in the previous exercise. The certificate is stored in
the appgateway.pfx file in the server-config folder.
The password generated for the .pfx file is somepassword. Don't change it in
the following command.
Azure CLICopy
az network application-gateway ssl-cert create \
--resource-group $rgName \
--gateway-name gw-shipping \
--name appgateway-cert \
--cert-file server-config/appgateway.pfx \
--cert-password somepassword
3. Run the following command to create a new listener that accepts incoming
traffic on port 443. The listener uses the certificate appgateway-cert to
decrypt messages.
Azure CLICopy
az network application-gateway http-listener create \
--resource-group $rgName \
--gateway-name gw-shipping \
--name https-listener \
--frontend-port https-port \
--ssl-cert appgateway-cert
4. Run the following command to create a rule that directs traffic received
through the new listener to the backend pool. This command might take a
minute or two to finish.
Azure CLICopy
az network application-gateway rule create \
--resource-group $rgName \
--gateway-name gw-shipping \
--name https-rule \
--address-pool ap-backend \
--http-listener https-listener \
--http-settings https-settings \
--rule-type Basic
BashCopy
echo https://$(az network public-ip show \
--resource-group $rgName \
--name appgwipaddr \
--query ipAddress \
--output tsv)
As before, your browser might display a warning message that says the SSL
connection is using an unauthenticated certificate. This is because the
certificate is self-signed. You can ignore this warning and continue to the
website.
3. Verify that the home page for the shipping portal appears.
You have now configured the listener to listen on port 443 and decrypt the data that's
ready to be passed to the backend pool. The data is re-encrypted when it's transmitted
from the gateway to a server in the backend pool. With this listener in place, you have
set up end-to-end encryption for the shipping portal.
Summary
2 minutes
You've now used Azure Application Gateway to encrypt and help secure your network
traffic between users and your web application. You enabled SSL encryption between
users and Application Gateway to encrypt traffic over the internet.
You also enabled SSL encryption for traffic between Application Gateway and your web
services. This encryption ensures that the web services are valid to communicate with.
You can now use the skills you've learned in your own environment to help secure HTTP
traffic.
Clean up
The sandbox automatically cleans up your resources when you're finished with this
module.
When you're working in your own subscription, it's a good idea at the end of a project
to identify whether you still need the resources you created. Resources left running can
cost you money. You can delete resources individually or delete the resource group to
delete the entire set of resources.
Learn more
To learn more about Azure Application Gateway, see the following articles: