We have a piece of internal software that includes an externally facing IIS site and an API site, which together serve around 21,000 users. The entire setup consists of an AVD host pool, an app server, a SQL server, and a web server. During testing, we discovered that the software requires the SQL server to be hosted on a server rather than using SQL SaaS or storage accounts, so that's how we set it up.
Currently, we've got an Azure App Gateway v2 with an SSL profile set up to secure the IIS site, and that's functioning properly. However, there's a subsite for API access (like https://www.site.com/apimanagement/apimanagement.svc) that also needs to be accessible externally, but it requires client-side certificate authentication. The issue is that, as far as I'm aware, App Gateway v2 doesn't support mTLS. I've experimented with several methods without success.
Internally, the subsite works fine on any configured URL. We've made the developers aware of the security risks, as their API isn't properly protected, but unfortunately, we can't change the software at this stage.
We also have an Azure Firewall set up, and everything is behind it. Previously, the system was directly accessible via four Azure VMs with an NSG allowing open traffic—which was a problematic setup. Now, I'm at a standstill on how to proceed. It appears the only solution might be to assign an external IP to the web server, create a different custom URL, and allow unrestricted access on ports 80 and 443.
Is there anyone here who can point me towards resources or share insights on how to configure this with App Gateway v2? Is it truly a limitation within Azure?
3 Answers
I feel your pain! It can be a nightmare trying to manage those certs. Just wait until you find out some vendors use them to switch users on the fly. It's like layers of misery on top of each other! Good luck with your setup—hopefully, you can find a workaround.
You could ask the vendor to move the API to its own subdomain to allow mTLS setup on that listener. Alternatively, they could properly implement authentication in the application code. If that's not possible, you can set up mTLS directly on IIS for a specific subpath in your web.config.
We ran into a similar situation. If you want to set up mTLS, try configuring api.site.com with the App Gateway settings as you did for the main site. Make sure you're doing backend pools, SSL profiles, listeners, and health probes correctly. But I know getting the vendor to cooperate can be a real hassle.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Fix Not Being Able To Add New Categories With Intuitive Category Checklist For Wordpress
Get Real User IP Without Installing Cloudflare Apache Module
How to Get Total Line Count In Visual Studio 2013 Without Addons
Install and Configure PhpMyAdmin on Centos 7
How To Setup PostfixAdmin With Dovecot and Postfix Virtual Mailbox