How can we improve Azure Networking?

← Networking

Support SSL certificates stored in Key Vault secrets for listeners and backend HTTP settings on Application Gateway

Azure Web Apps support the ability to store an SSL certificate in a Key Vault secret. A certificate resource can be created that references the Key Vault secret. The App service will periodically check for an updated SSL certificate in the Key Vault. The Application Gateway needs to have the same support for storing the SSL certificates in the Key Vault. It should be able to reference a Key Vault secret that contains the SSL certificate in the listener and backend HTTP settings configuration. This capability will allow the management of SSL certificates for Application Gateway and the Web Apps in a single place.

246 votes

Vote

Sign in

Your name

Your email address

Check!

invalid email

(thinking…)

Reset

or sign in with

UserVoice password

Forgot password?

Create a password

Signed in as (Sign out)

You have left! (?) (thinking…)

Mike Webber shared this idea · Aug 29, 2017 · Flag idea as inappropriate… · Admin →

planned ·

AdminAzure Networking Team (Admin, Microsoft Azure) responded · Feb 23, 2018

We are planning to support SSL certificates stored in Key Vault secrets for listeners and backend HTTP settings on AppGw

14 comments

Add a comment…

Sign in

Your name

Your email address

Check!

invalid email

(thinking…)

Reset

or sign in with

UserVoice password

Forgot password?

Create a password

Signed in as (Sign out)

Submitting...

Anonymous commented · November 21, 2018 1:40 PM · Flag as inappropriate

Application Gateways not able to access the certificate from Azure Key Vault is a security problem because of the need to export a PFX.
It also greatly diminishes the value of the higher price of an Azure App Service Certificate (ASC). It is no more secure than going to any other CA at this point who can charge far less for a certificate of the same value.
Greg Lloyd commented · October 7, 2018 11:02 AM · Flag as inappropriate

Updates? This is a seriously needed feature. Especially for automation to prevent downtime for applications.
Corey Zwart commented · August 8, 2018 12:36 PM · Flag as inappropriate

Any updates? Would love to be able to administer the certificates in a central place rather than every deployed Application Gateway.
John Gilmartin commented · July 30, 2018 4:43 AM · Flag as inappropriate

Pleased to see this is on the roadmap but disappointed to see that it has been so since 2016 and yet still not available. With this item and very similar one https://feedback.azure.com/forums/217313-networking/suggestions/17205926-integration-with-key-vault-certificates there is plenty of demand, us included.
Max Khon commented · July 17, 2018 4:21 AM · Flag as inappropriate

+1
Jens Peter Secher commented · July 16, 2018 12:55 AM · Flag as inappropriate

+1
Richard J commented · July 5, 2018 4:43 AM · Flag as inappropriate

Hi Microsoft,

What is the ETA for this?
Joe H commented · June 14, 2018 9:12 PM · Flag as inappropriate

SSL certificate private key portions are CONSTANTLY exposed on some DevOps workstation, because App Services don't support the generation of a CSR.

KeyVault supports that -- but when I create an SSL certificate via KeyVault, I can't use it directly in an AppService without allowing the entire certificate to be exported - with its private key portion.

Back to square one.

Besides, I'd like my HTTPS certificate to be HSM-backed.

It seems like I'm asking for too much. But at the very least, allow me to use non-exportable HTTPS certificates for Azure-based web sites, where the private key NEVER has to be on a DevOps person's workstation. That's just unnecessary attack surface.
Jev commented · May 2, 2018 2:22 AM · Flag as inappropriate

Hi Azure Networking team. Key Vault integration would be a welcome addition. Especially when using ARM deployment model. Hence an ETA would be greatly appreciated!
Anonymous commented · March 27, 2018 6:31 AM · Flag as inappropriate

Hello, Azure Networking team. By when we can expect Key Vault support i Application Gateway?
Moim Hossain commented · March 12, 2018 3:21 AM · Flag as inappropriate

Is there any ETA for this?
Moim Hossain commented · March 12, 2018 3:20 AM · Flag as inappropriate

+1
Anonymous commented · February 28, 2018 6:56 AM · Flag as inappropriate

+1
KevBow commented · February 27, 2018 1:53 PM · Flag as inappropriate

We really need this too. Any ideas on timings in that plan ? Q1/Q2/2019?

Networking: Application Gateway

Post a new idea…
All ideas
My feedback
Application Gateway 87
Azure Firewall 8
Azure Front Door Service 8
Bugs 4
Content Delivery Network 2
Domain Name Service (DNS, Traffic Manager) 62
ExpressRoute 23
IP addresses 14
IPv6 7
Load Balancing 31
Network Watcher 28
Other 9
Security (ACLs, Firewalls, Intrusion Detection) 64
Speed/Bandwidth 3
VPN Connectivity (Point-to-Site, Site-to-Site) 51
Virtual Networks (VNET) 58
Virtual WAN 1

Searching…

No results.
Clear search results

Give feedback
- (General Feedback) 3,641 ideas
- Additional Services 181 ideas
- Analytics Platform System 8 ideas
- API Apps 1 idea
- API Management 355 ideas
- Application Insights 434 ideas
- Automation 370 ideas
- Azure Active Directory 2,369 ideas
- Azure Active Directory Application Requests 179 ideas
- Azure Alert Management 43 ideas
- Azure Analysis Services 115 ideas
- Azure Backup 306 ideas
- Azure Bot Service 40 ideas
- Azure Cloud Shell 143 ideas
- Azure Container Instances 55 ideas
- Azure Container Registry 42 ideas
- Azure Cosmos DB 258 ideas
- Azure CycleCloud 1 idea
- Azure Data Explorer 17 ideas
- Azure Database for MariaDB 3 ideas
- Azure Database for MySQL 37 ideas
- Azure Database for PostgreSQL 69 ideas
- Azure Database Migration Service 17 ideas
- Azure Databricks 29 ideas
- Azure DDoS Protection 6 ideas
- Azure Digital Twins 7 ideas
- Azure Event Grid 32 ideas
- Azure Functions 122 ideas
- Azure Governance 34 ideas
- Azure Government 67 ideas
- Azure IoT 199 ideas
- Azure IoT Central 31 ideas
- Azure IoT Device Catalog 2 ideas
- Azure IoT Edge 38 ideas
- Azure IoT Solution Accelerators 2 ideas
- Azure Key Vault 60 ideas
- Azure Kubernetes Service (AKS) 74 ideas
- Azure Management Groups 3 ideas
- Azure Maps 31 ideas
- Azure Marketplace 353 ideas
- Azure Media Services 193 ideas
- Azure Migrate 17 ideas
- Azure mobile app 167 ideas
- Azure Monitor 17 ideas
- Azure Pack 285 ideas
- Azure portal 2,380 ideas
- Azure Resource Manager 363 ideas
- Azure Search 190 ideas
- Azure Security Center 122 ideas
- Azure SignalR Service 1 idea
- Azure Sphere 23 ideas
- Azure Stack 103 ideas
- Azure TCO Calculator 25 ideas
- Azure Time Series Insights 2 ideas
- Batch 37 ideas
- Batch AI 7 ideas
- Biztalk Services 23 ideas
- Blockchain 27 ideas
- Cache 36 ideas
- CDN 69 ideas
- Cloud Services (Web and Worker Role) 263 ideas
- Cost Management 153 ideas
- Customer Insights 13 ideas
- Customer Lockbox for Microsoft Azure 0 ideas
- Data Catalog 94 ideas
- Data Factory 522 ideas
- Data Lake 318 ideas
- Data Science VM 18 ideas
- DevTest Labs 216 ideas
- Diagnostics and Monitoring 171 ideas
- Event Hubs 3 ideas
- Global Infrastructure 14 ideas
- HDInsight 107 ideas
- Log Analytics 813 ideas
- Logic Apps 1,038 ideas
- Machine Learning 406 ideas
- Mobile Engagement 19 ideas
- Networking 483 ideas
- Notification Hubs 37 ideas
- Scheduler 45 ideas
- Scripting and Command Line Tools 87 ideas
- SDK and Tools 120 ideas
- Security and Compliance 61 ideas
- Service Bus 157 ideas
- Service Fabric 256 ideas
- Signup and Billing 866 ideas
- Site Recovery 193 ideas
- SQL Data Sync 63 ideas
- SQL Data Warehouse 217 ideas
- SQL Database 452 ideas
- SQL Managed Instance 37 ideas
- SQL Server 8,678 ideas
- Storage 515 ideas
- StorSimple 44 ideas
- Stream Analytics 209 ideas
- Support Feedback 218 ideas
- System Center Data Protection Manager 90 ideas
- Update Management 91 ideas
- Virtual Machines 1,187 ideas
- Web Apps 203 ideas
Microsoft Azure