I have an internal application that needs to operate behind the scenes but also has an IIS site and an API endpoint for user access, supporting around 21,000 users. The setup includes an AVD host pool, an app server, a SQL server, and a web server. During our testing phase, we discovered that the application cannot utilize SQL as a service or Azure storage accounts, necessitating an on-premises server configuration.
Right now, we're using an App Gateway v2 with an SSL profile for our IIS website, which is functioning well for external access (e.g., https://www.site.com). However, we also have a sub-API site (https://www.site.com/apimanagement/apimanagement.svc) that needs to be accessible for development purposes and requires client-based authentication through installed certificates.
The issue is that I believe the App Gateway doesn't support mutual TLS (mTLS), and despite trying various methods, I haven't been able to get it to work. The API works internally on any configured URL, even different ones, which raises security concerns since the API isn't secured adequately.
We have an Azure Firewall in place, but the previous setup exposed four Azure VMs directly to the internet with open NSG ports, which feels risky. I'm considering whether the only solution is to assign an external IP to the web server, create a different custom URL (like apisite.com), and open up ports 80 & 443 for access. I'm looking for guidance or resources on configuring this correctly with App Gateway v2, or if this is just a limitation of Azure itself.
2 Answers
Honestly, I feel your pain. If you already reached out to the vendor for two years and nothing's changing, it's time to push harder for a solution. I personally didn't set it up, but I've read that some have had success configuring App Gateway v2 for mTLS on IIS. Perhaps the issue is with how the backend pool and health probes are set up? Double-check that everything is configured correctly, including SSL certs and listener settings.
I totally get your frustration! I've been in similar situations. Have you tried asking the vendor to migrate the API to a separate subdomain? That way, you can implement mTLS on that listener. Alternatively, they could secure the API properly in the application code, which seems like a more viable solution. You can also set up mTLS on IIS for specific subpaths using web.config—may require some tweaking but can offer a workaround.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads