TLS certificate offload at Azure Application gateway and end-to-end encryption
Introduction:
Security is one of the most important aspects while designing any system. There are many areas in the system that we need to deal with security.
Eg.
- Data-at-rest
- Data-in-transit
- Authentication and Authorisation
- Writing secure code to avoid security vulnerabilities
- Principle of least privilege
- Protecting security keys etc
In this article we are going to talk about data-in-transit also known as data-in-motion. The client application (mobile app or web app) has to communicate to the backend servers to get/post the required data to the users. As an application developer we need to make sure that the communication between client and server is secure. We should encrypt the data between client and server using TLS (Transport Layer Security) certificates, previously known as SSL (Secure Socket Layer). In today’s topic we are going to talk about where to offload/terminate TLS certificates in azure application gateway.
TLS offloading means decrypting the data at the server side which has been encrypted by the client to provide security to the data while data is in transit.
Should I terminate/offload TLS certificates at Azure application gateway ?
Well, it depends on your organisation’s security policy. Few organisations terminate TLS at application gateway and send unencrypted traffic to backend servers while others do end-to-end encryption.
To enable TLS/SSL termination, we need to add TLS/SSL certificates to Azure application gateway listeners, so that application gateway derives a symmetric key. Symmetric key is used to encrypt and decrypt the data sent to the application gateway.
Note:
TLS certificate should be in PFX format. This format allows us to export private key that is required by the application gateway.
Pros
1.Performance improvement:
As we all know TLS decryption will cause performance issues. To avoid that, the application gateway uses a Caching mechanism to store TLS session IDs and manages TLS session tickets. If this is done at the application gateway, all requests from the same client can use the cached values. If this is done at the backend server, each time a client request goes to a different backend server based on load balancer and the client has to re-authenticate each time.
2. Better routing
If application gateway can decrypt the data, then it can read requested content such as headers, URI etc and same can be used to do the routing of the request to specific backend server
3. Certificate management
Since we are terminating TLS certificates at the application gateway, we only need to buy certificates for the application gateway. We don’t have to buy certificates for backend servers. This saves Money for us.
4. Let backend servers do their job
Certificate processing is a CPU intensive job so by doing this to the application gateway can reduce the load on backend servers and they can do their job correctly (Single Responsibility Principle).
Cons
As you are aware, if you offload TLS certificate at app gateway, the data from app gateway to ingress controller or backend servers goes unencrypted. This could be okay for a few companies and a few domains but not for all companies. In this case, companies have to adopt end-to-end encryption which we are going to talk about in the next section.
End-to-end encryption
Few companies policy does not allow TLS termination at Application gateway. In such cases we have to encrypt the data end-to-end.
How does it work ?
Once client sent traffic reaches the application gateway, then application gateway decrypts the traffic using certificate private key and gets required information such as request headers, URI etc. Then the application gateway identifies to which backend server (Ingress Controller) it has to forward the request based on the request headers, URI etc. Once the backend server is identified, Application gateway again encrypts the data using the backend server public key of the certificate and forwards the request to a specific backend server (Ingress Controller). Backend servers then terminate TLS certificates once request is reached to them.
Managing certificates in Azure Key Vault
Azure Key Vault is a service where we can store secrets, keys, certificates securely. We can store production certificates in azure Key Vault and give read access to Application gateway.
We need to create a user-assigned managed identity and give “Get” access to Key Vault. We need to assign the created user-assigned managed identity to the Application gateway.
Application gateway can read certificates from Key Vault and install them locally for TLS termination. Application gateway keeps polling Key Vault for every 4 hours to check if any renewed version of the certificate is added or not. If Application gateway finds a renewed certificate then it automatically rotates the existing certificate.
Azure Application Gateway doesn’t support sourcing TLS certificates for the HTTP listener from Key Vault instances that are exposed with Private Link