How can we improve Azure Networking?

← Networking

Support SSL certificates stored in Key Vault secrets for listeners and backend HTTP settings on Application Gateway

Azure Web Apps support the ability to store an SSL certificate in a Key Vault secret. A certificate resource can be created that references the Key Vault secret. The App service will periodically check for an updated SSL certificate in the Key Vault. The Application Gateway needs to have the same support for storing the SSL certificates in the Key Vault. It should be able to reference a Key Vault secret that contains the SSL certificate in the listener and backend HTTP settings configuration. This capability will allow the management of SSL certificates for Application Gateway and the Web Apps in a single place.

445 votes

Vote

Sign in

Your name

Your email address

(thinking…)

Password

Sign in with:

Forgot password?

Create a password

Signed in as (Sign out)

You have left! (?) (thinking…)

Mike Webber shared this idea · Aug 29, 2017 · Flag idea as inappropriate… · Admin →

started ·

AdminAzure Networking Team (Product Manager, Microsoft Azure) responded · Apr 14, 2019

This is being worked on and will soon be announced.

Show previous admin responses (1)

25 comments

Add a comment…

Sign in

Your name

Your email address

(thinking…)

Password

Sign in with:

Forgot password?

Create a password

Signed in as (Sign out)

Submitting...

Andy commented · April 15, 2019 9:27 AM · Flag as inappropriate

When you have plan to announce it ?
Jan Fruseth commented · April 5, 2019 2:24 AM · Flag as inappropriate

What's the status? A year has gone since it was planned and no update at all. Please, at least give us a status. The only preferred place to store secrets is key vault Microsoft tell us all the time, but since App Gateway not can use cert, pfx to install/renew directly from key vault, we must depend on someones brain, to bad.
Craig commented · March 29, 2019 1:56 AM · Flag as inappropriate

Until this is implemented by MS, you can export the public and private keys from the .cer and .pfx into Base64 String, then copy the string code into Key Vault as a "Secret" and this can be referenced within your ARM Template Parameters file, I've done this a few times and works perfectly :)
James S. commented · February 28, 2019 8:05 AM · Flag as inappropriate

Wait, seriously? There's this amazing framework we're encouraged to use for storing secret keys and certificates securely yet we can't use it with Application Gateway?? A must have add for sure. +1 x 1,000,000
Shahid Iqbal commented · February 5, 2019 12:50 PM · Flag as inappropriate

Yes, an update to this would be great - perhaps this is an appgw v2 feature?
sachin commented · January 24, 2019 9:38 PM · Flag as inappropriate

This seems like a Must Have feature. ETA Please.
Anonymous commented · January 22, 2019 3:54 AM · Flag as inappropriate

Can we get an ETA? This seems like a huge gap in the app gateway
Anonymous commented · January 21, 2019 6:06 AM · Flag as inappropriate

I am surprised this doesn't have more votes. The App Service Certificate terribly loses its value by not giving the front end direct access to use it.
Anonymous commented · January 20, 2019 3:38 PM · Flag as inappropriate

Any updates on this?
Tom Stones commented · January 9, 2019 9:19 AM · Flag as inappropriate

+1
Yohan S. commented · January 8, 2019 11:11 AM · Flag as inappropriate

Any update on this feature please ?
Anonymous commented · November 21, 2018 1:40 PM · Flag as inappropriate

Application Gateways not able to access the certificate from Azure Key Vault is a security problem because of the need to export a PFX.
It also greatly diminishes the value of the higher price of an Azure App Service Certificate (ASC). It is no more secure than going to any other CA at this point who can charge far less for a certificate of the same value.
Greg Lloyd commented · October 7, 2018 11:02 AM · Flag as inappropriate

Updates? This is a seriously needed feature. Especially for automation to prevent downtime for applications.
Corey Zwart commented · August 8, 2018 12:36 PM · Flag as inappropriate

Any updates? Would love to be able to administer the certificates in a central place rather than every deployed Application Gateway.
John Gilmartin commented · July 30, 2018 4:43 AM · Flag as inappropriate

Pleased to see this is on the roadmap but disappointed to see that it has been so since 2016 and yet still not available. With this item and very similar one https://feedback.azure.com/forums/217313-networking/suggestions/17205926-integration-with-key-vault-certificates there is plenty of demand, us included.
Max Khon commented · July 17, 2018 4:21 AM · Flag as inappropriate

+1
Jens Peter Secher commented · July 16, 2018 12:55 AM · Flag as inappropriate

+1
Richard J commented · July 5, 2018 4:43 AM · Flag as inappropriate

Hi Microsoft,

What is the ETA for this?
Joe H commented · June 14, 2018 9:12 PM · Flag as inappropriate

SSL certificate private key portions are CONSTANTLY exposed on some DevOps workstation, because App Services don't support the generation of a CSR.

KeyVault supports that -- but when I create an SSL certificate via KeyVault, I can't use it directly in an AppService without allowing the entire certificate to be exported - with its private key portion.

Back to square one.

Besides, I'd like my HTTPS certificate to be HSM-backed.

It seems like I'm asking for too much. But at the very least, allow me to use non-exportable HTTPS certificates for Azure-based web sites, where the private key NEVER has to be on a DevOps person's workstation. That's just unnecessary attack surface.
Jev commented · May 2, 2018 2:22 AM · Flag as inappropriate

Hi Azure Networking team. Key Vault integration would be a welcome addition. Especially when using ARM deployment model. Hence an ETA would be greatly appreciated!

← Previous 1 2 Next →

Networking: Application Gateway

Post a new idea…
All ideas
My feedback
Application Gateway 125
Azure Firewall 19
Azure Front Door Service 19
Bugs 5
Content Delivery Network 4
Domain Name Service (DNS, Traffic Manager) 78
ExpressRoute 33
IP addresses 17
IPv6 9
Load Balancing 45
Network Watcher 32
Other 13
Security (ACLs, Firewalls, Intrusion Detection) 79
Speed/Bandwidth 4
VPN Connectivity (Point-to-Site, Site-to-Site) 66
Virtual Networks (VNET) 71
Virtual WAN 1

Searching…

No results.
Clear search results

Give feedback
- (General Feedback) 3,537 ideas
- Additional Services 235 ideas
- Analytics Platform System 10 ideas
- API Apps 3 ideas
- API Management 387 ideas
- Application Insights 506 ideas
- Automation 410 ideas
- Azure Active Directory 2,954 ideas
- Azure Active Directory Application Requests 199 ideas
- Azure Advisor 12 ideas
- Azure Alert Management 60 ideas
- Azure Analysis Services 125 ideas
- Azure API for FHIR 0 ideas
- Azure App Configuration 5 ideas
- Azure Backup 371 ideas
- Azure Bot Service 52 ideas
- Azure Cloud Shell 248 ideas
- Azure Confidential Compute 1 idea
- Azure Container Instances 72 ideas
- Azure Container Registry 45 ideas
- Azure Cosmos DB 263 ideas
- Azure CycleCloud 0 ideas
- Azure Data Explorer 31 ideas
- Azure Database for MariaDB 9 ideas
- Azure Database for MySQL 52 ideas
- Azure Database for PostgreSQL 84 ideas
- Azure Database Migration Service 27 ideas
- Azure Databricks 45 ideas
- Azure DDoS Protection 6 ideas
- Azure Digital Twins 14 ideas
- Azure Event Grid 40 ideas
- Azure Functions 132 ideas
- Azure Governance 56 ideas
- Azure Government 67 ideas
- Azure IoT 225 ideas
- Azure IoT Central 58 ideas
- Azure IoT Device Catalog 8 ideas
- Azure IoT Edge 54 ideas
- Azure IoT Solution Accelerators 20 ideas
- Azure Key Vault 84 ideas
- Azure Kubernetes Service (AKS) 110 ideas
- Azure Management Groups 12 ideas
- Azure Maps 35 ideas
- Azure Marketplace 371 ideas
- Azure Media Services 245 ideas
- Azure Migrate 28 ideas
- Azure mobile app 198 ideas
- Azure Monitor 66 ideas
- Azure Pack 306 ideas
- Azure portal 1,767 ideas
- Azure Resource Manager 372 ideas
- Azure Search 207 ideas
- Azure Security Center 150 ideas
- Azure Sentinel 11 ideas
- Azure Service Health 13 ideas
- Azure SignalR Service 7 ideas
- Azure Spatial Anchors 9 ideas
- Azure Sphere 39 ideas
- Azure Stack 134 ideas
- Azure TCO Calculator 28 ideas
- Azure Time Series Insights 3 ideas
- Batch 36 ideas
- Batch AI 8 ideas
- Biztalk Services 23 ideas
- Blockchain 36 ideas
- Cache 44 ideas
- CDN 83 ideas
- Cloud Services (Web and Worker Role) 274 ideas
- Cost Management 159 ideas
- Customer Insights 13 ideas
- Customer Lockbox for Microsoft Azure 0 ideas
- Data Catalog 108 ideas
- Data Factory 629 ideas
- Data Lake 332 ideas
- Data Science VM 18 ideas
- Diagnostics and Monitoring 179 ideas
- Event Hubs 14 ideas
- Global Infrastructure 32 ideas
- HDInsight 120 ideas
- Lab Services 221 ideas
- Log Analytics 852 ideas
- Logic Apps 1,189 ideas
- Machine Learning 438 ideas
- Mobile Engagement 19 ideas
- Networking 667 ideas
- Notification Hubs 35 ideas
- Scheduler 47 ideas
- Scripting and Command Line Tools 101 ideas
- SDK and Tools 137 ideas
- Security and Compliance 75 ideas
- Service Bus 174 ideas
- Service Fabric 271 ideas
- Signup and Billing 1,221 ideas
- Site Recovery 209 ideas
- SQL Data Sync 66 ideas
- SQL Data Warehouse 231 ideas
- SQL Database 557 ideas
- SQL Managed Instance 60 ideas
- SQL Server 9,145 ideas
- Storage 649 ideas
- StorSimple 46 ideas
- Stream Analytics 224 ideas
- Support Feedback 248 ideas
- System Center Data Protection Manager 103 ideas
- Update Management 107 ideas
- Virtual Machines 1,366 ideas
- Web Apps 310 ideas
Microsoft Azure