Reputation: 1
Configure path route path specific SSL profile in Azure Application Gateway
We have an Azure APIM behind Application Gateway, we want to implement the Certificate based authentication for the incoming requests to an specific API(s).
As per the latest update from MS, we can pass the certificate from APP Gateway to backend APIM by configuring SSL profiles and rewriting the Custom Headers X-ARR-ClientCert.
Problem in our scenario, we have a single listner to our APIM instance configured in Azure App Gateway. In a case of configuring the SSL Profile and attaching to the Listener.
- Will Azure App gateway will ask for client certificate for all the incoming requests
- Will it create any impact on API(s) which doesnt require Certificate based Authentication.
- Is there any way the App Gateway can forward the certificates to Azure API Management without SSL Profile.
Best Regards: Sai
We have tried to rewrite the headers with a Custom Header name X-ARR-ClientCert with value {var_client_certificate} in App gateway using route-path based rule and without SSL Profile configured as we do not have idea on impact it would be create in a case of attaching the SSL profile to listener
Upvotes: 0
Views: 643
Answers (1)
Reputation: 5570
As per your scenario, we have a single listener to our APIM instance configured in Azure App Gateway. In a case of configuring the SSL Profile and attaching to the Listener.
- If you configure an SSL profile on the listener of Azure Application Gateway and enable client certificate authentication, it will ask for a client certificate for all incoming requests to that listener.
Application Gateway supports certificates issued from both public and privately established certificate authorities. Therefore, CA certificates must be uploaded. Ensure that the client certificate's immediate issuer is verified and only permits that issuer to be trusted by your application gateway.
By default, this option is disabled, but if you want to use the application Gateway to validate the client, you can enable it through the portal.
- Configuring SSL profiles and rewriting the Custom Headers X-ARR-ClientCert in Azure Application Gateway will not impact the APIs that do not require certificate-based authentication
- Without an SSL profile it's not possible to forward the certificates to Azure API Management you need SSL profile with the certificates and then associated it to a listener
To know more in detail, check these references.
Overview of mutual authentication on Azure Application Gateway | Microsoft Learn
Rewrite HTTP headers and URL with Azure Application Gateway | Microsoft Learn
Upvotes: 0
Related Questions
- How can I configure Azure Application Gateway to only accept client certificates with a specific subject
- Azure Application Gateway Mutual authentication server variables empty
- Getting error while accessing Azure API developer portal while using Azure Application Gateway with Azure API Management service
- Use App Service Certificate with Azure Application Gateway
- Azure Application Gateway: Client Certificates headers?
- SSL pinning with Azure App gateway + APIM
- Adding Certificate to Azure Self-hosted Gateway Image
- Azure Application Gateway not pulling through SSL Cert purchased via Azure App Service Certificates
- Azure Application Gateway with SSL bindings
- Client certificate with Azure Application Gateway