应用程序网关的端到端 SSL 概述Overview of end to end SSL with Application Gateway

应用程序网关支持在网关上终止 SSL,之后,流量通常会以未加密状态流到后端服务器。Application gateway supports SSL termination at the gateway, after which traffic typically flows unencrypted to the backend servers. 此功能让 Web 服务器不用再负担昂贵的加密和解密开销。This feature allows web servers to be unburdened from costly encryption and decryption overhead. 但对于某些客户而言,与后端服务器的未加密通信不是可以接受的选项。However for some customers unencrypted communication to the backend servers is not an acceptable option. 此通信未加密,可能是由于有安全要求、符合性要求,或应用程序可能仅接受安全连接。This unencrypted communication could be due to security requirements, compliance requirements, or the application may only accept a secure connection. 对于此类应用程序,应用程序网关支持端到端 SSL 加密。For such applications, application gateway supports end to end SSL encryption.

概述Overview

端到端 SSL 允许安全地将敏感数据以加密方式传输到后端,同时仍可利用应用程序网关提供的第 7 层负载均衡功能的好处。End to end SSL allows you to securely transmit sensitive data to the backend encrypted while still taking advantage of the benefits of Layer 7 load balancing features which application gateway provides. 部分功能包括:基于 Cookie 的会话相关性、基于 URL 的路由、基于站点的路由支持,或注入 X-Forwarded-* 标头。Some of these features are cookie-based session affinity, URL-based routing, support for routing based on sites, or ability to inject X-Forwarded-* headers.

如果配置为端到端 SSL 通信模式,应用程序网关会在网关上终止 SSL 会话,并解密用户流量。When configured with end to end SSL communication mode, application gateway terminates the SSL sessions at the gateway and decrypts user traffic. 然后,它会应用配置的规则,以选择要将流量路由到的适当后端池实例。It then applies the configured rules to select an appropriate backend pool instance to route traffic to. 应用程序网关接下来会初始化到后端服务器的新 SSL 连接,并先使用后端服务器的公钥证书重新加密数据,此后再将请求传输到后端。Application gateway then initiates a new SSL connection to the backend server and re-encrypts data using the backend server's public key certificate before transmitting the request to the backend. 如果要启用端到端 SSL,请将 BackendHTTPSetting 中的协议设置设为 HTTPS,再将其应用到后端池。End to end SSL is enabled by setting protocol setting in BackendHTTPSetting to HTTPS, which is then applied to a backend pool. 后端池中每个已启用端到端 SSL 的后端服务器都必须配置证书,以便能够进行安全的通信。Each backend server in the backend pool with end to end SSL enabled must be configured with a certificate to allow secure communication.

端到端 ssl 方案

在此示例中,使用 TLS1.2 的请求通过端到端 SSL 路由到池 1 中的后端服务器。In this example, requests using TLS1.2 are routed to backend servers in Pool1 using end to end SSL.

端到端 SSL 和证书允许列表End to end SSL and whitelisting of certificates

应用程序网关只会与已知的后端实例通信,这些实例已将其证书加入应用程序网关的允许列表。Application gateway only communicates with known backend instances that have whitelisted their certificate with the application gateway. 要启用证书允许列表,必须将后端服务器证书(不是根证书)的公钥上传到应用程序网关。To enable whitelisting of certificates, you must upload the public key of backend server certificates to the application gateway (not the root certificate). 只允许连接到已知的和列入允许列表的后端。Only connections to known and whitelisted backends are then allowed. 其余后端会导致网关错误。The remaining backends results in a gateway error. 自签名证书仅用于测试目的,不建议用于生产工作负荷。Self-signed certificates are for test purposes only and not recommended for production workloads. 如前面的步骤中所述,此类证书必须加入应用程序网关的允许列表,才可以使用。Such certificates have to be whitelisted with the application gateway as described in the preceding steps before they can be used.

后续步骤Next steps

了解端到端 SSL 后,可转到在应用程序网关上启用端到端 SSL,使用端到端 SSL 创建应用程序网关。After learning about end to end SSL, go to enable end to end SSL on application gateway to create an application gateway using end to end SSL.