CODEWITHSUNDEEP
azureazure-application-gateway
Raymond Grumney
Raymond Grumney

Reputation: 41

Azure Application Gateway, how to link to SSL Cert on a different Azure Subscription?

I have an Azure Application Gateway in subscription A and a wildcard ssl cert in a Keyvault in subscription B, both under the same tenant. Is it possible to link this certificate to this application gateway?

Upvotes: 3

Views: 14596

Answers (3)

Paco de la Cruz
Paco de la Cruz

Reputation: 2154

We ran into the same issue. As of Nov 2021, based on the documentation, the Key Vault instance must be in the same subscription as Application Gateway.

Azure Application Gateway currently supports only Key Vault accounts in the same subscription as the Application Gateway resource. Choosing a key vault under a different subscription than your Application Gateway will result in a failure.

Upvotes: 3

SimonB
SimonB

Reputation: 399

Continuing on from @andriy-bilous, creating a Managed Identity for an Azure Application Gateway so you can draw down certificates from your Azure Key Vault is pretty simple.

Create the Managed Identity:

  1. Go to Azure Portal.
  2. Select the search bar at the top, then search for and select "Managed Identities".
  3. Select Create.
  4. Enter your new managed identity the relivant Resource Group and Region, and a unique Name.
  5. Now, Review + create, then Create.

Assign the rights to the Managed Identity in your Key Vault:

  1. Go to your Key Vault.
  2. Under Settings, select Access policies.
  3. Select + Add Access Policy.
  4. Under the Secret permissions dropdown, select Get.
  5. Next to Select principal, select None selected.
  6. Search for the Managed Indentity you just created, and Select.
  7. Finally, click Add and you're done.

Head on over to your Application Gateway, and there will be a Managed Idenity for the Key Vault and setup your HTTPS certificates.

Also, as you've aleady got a VNET setup, adding your Key Vault to the VNET via a Private Endpoint is a great idea.

Upvotes: 6

Andriy Bilous
Andriy Bilous

Reputation: 2522

Yes it is possible.

Application Gateway integration with Key Vault requires a three-step configuration process:

  • Create a user-assigned managed identity
  • Configure your key vault
  • Configure the application gateway

enter image description here

https://learn.microsoft.com/en-us/azure/application-gateway/key-vault-certs#how-integration-works

Upvotes: 2

Related Questions