使用 Key Vault 证书进行 TLS 终止TLS termination with Key Vault certificates

Azure Key Vault 是平台托管的机密存储,可以用来保证机密、密钥和 TLS/SSL 证书的安全。Azure Key Vault is a platform-managed secret store that you can use to safeguard secrets, keys, and TLS/SSL certificates. Azure 应用程序网关支持与密钥保管库集成,以存储附加到支持 HTTPS 的侦听器的服务器证书。Azure Application Gateway supports integration with Key Vault for server certificates that are attached to HTTPS-enabled listeners. 此支持仅限 v2 SKU 版应用程序网关。This support is limited to the v2 SKU of Application Gateway.

Key Vault 集成提供了两种用于 TLS 终止的模型:Key Vault integration offers two models for TLS termination:

  • 你可以显式提供附加到侦听器的 TLS/SSL 证书。You can explicitly provide TLS/SSL certificates attached to the listener. 此模型是将 TLS/SSL 证书传递到应用程序网关进行 TLS 终止的传统方式。This model is the traditional way to pass TLS/SSL certificates to Application Gateway for TLS termination.
  • 可以选择在创建支持 HTTPS 的侦听器时提供对现有 Key Vault 证书或机密的引用。You can optionally provide a reference to an existing Key Vault certificate or secret when you create an HTTPS-enabled listener.

应用程序网关与 Key Vault 集成具有许多优势,其中包括:Application Gateway integration with Key Vault offers many benefits, including:

  • 更高的安全性,因为 TLS/SSL 证书不直接由应用程序开发团队处理。Stronger security, because TLS/SSL certificates aren't directly handled by the application development team. 集成允许独立的安全团队执行以下操作:Integration allows a separate security team to:
    • 设置应用程序网关。Set up application gateways.
    • 控制应用程序网关生命周期。Control application gateway lifecycles.
    • 授权选定的应用程序网关访问存储在密钥保管库中的证书。Grant permissions to selected application gateways to access certificates that are stored in your key vault.
  • 支持将现有证书导入密钥保管库中。Support for importing existing certificates into your key vault. 或者使用 Key Vault API 与任何受信任的 Key Vault 合作伙伴一起创建并管理新证书。Or use Key Vault APIs to create and manage new certificates with any of the trusted Key Vault partners.
  • 支持自动续订存储在密钥保管库中的证书。Support for automatic renewal of certificates that are stored in your key vault.

应用程序网关目前仅支持经软件验证的证书。Application Gateway currently supports software-validated certificates only. 不支持硬件安全模块 (HSM) 验证的证书。Hardware security module (HSM)-validated certificates are not supported. 在应用程序网关在配置为使用 Key Vault 证书以后,其实例会从 Key Vault 检索证书并将其安装到本地进行 TLS 终止。After Application Gateway is configured to use Key Vault certificates, its instances retrieve the certificate from Key Vault and install them locally for TLS termination. 实例还按 4 小时的时间间隔轮询 Key Vault,以便检索证书的续订版本(如果存在)。The instances also poll Key Vault at 4-hour intervals to retrieve a renewed version of the certificate, if it exists. 如果发现了更新的证书,则目前与 HTTPS 侦听器关联的 TLS/SSL 证书会自动轮换。If an updated certificate is found, the TLS/SSL certificate currently associated with the HTTPS listener is automatically rotated.

备注

Azure 门户仅支持 KeyVault 证书,而不支持机密。The Azure portal only supports KeyVault Certificates, not secrets. 应用程序网关仍支持从 KeyVault 引用机密,而只能通过 PowerShell、CLI、API、ARM 模板等非门户资源进行引用。Application Gateway still supports referencing secrets from KeyVault, but only through non-Portal resources like PowerShell, CLI, API, ARM templates, etc.

集成工作原理How integration works

应用程序网关与 Key Vault 集成需要一个三步配置过程:Application Gateway integration with Key Vault requires a three-step configuration process:

  1. 创建用户分配的托管标识Create a user-assigned managed identity

    你创建或重用现有的用户分配的托管标识,供应用程序网关用来代表你从 Key Vault 检索证书。You create or reuse an existing user-assigned managed identity, which Application Gateway uses to retrieve certificates from Key Vault on your behalf. 有关详细信息,请参阅使用 Azure 门户创建、列出、删除用户分配的托管标识或为其分配角色For more information, see Create, list, delete or assign a role to a user-assigned managed identity using the Azure portal. 这一步在 Azure Active Directory 租户中创建新标识。This step creates a new identity in the Azure Active Directory tenant. 此标识受那个用来创建标识的订阅的信任。The identity is trusted by the subscription that's used to create the identity.

  2. 配置密钥保管库Configure your key vault

    然后导入现有的证书,或者在密钥保管库中创建新证书。You then either import an existing certificate or create a new one in your key vault. 此证书将供通过应用程序网关的应用程序使用。The certificate will be used by applications that run through the application gateway. 在此步骤中,也可使用密钥保管库机密,该机密将存储为无密码的 base-64 编码的 PFX 文件。In this step, you can also use a key vault secret that's stored as a password-less, base-64 encoded PFX file. 我们建议使用证书类型是因为适用于密钥保管库中证书类型对象的自动续订功能。We recommend using a certificate type because of the autorenewal capability that's available with certificate type objects in the key vault. 在创建证书或机密以后,即可在密钥保管库中定义访问策略,此类策略允许为标识授予对机密的“获取”访问权限。After you've created a certificate or a secret, you define access policies in the key vault to allow the identity to be granted get access to the secret.

    重要

    应用程序网关目前需要 Key Vault 来允许从所有网络进行访问,以便利用集成。Application Gateway currently requires Key Vault to allow access from all networks in order to leverage the integration. 当 Key Vault 设置为“仅允许专用终结点”并选择“网络访问”时,它不支持 Key Vault 集成。It does not support Key Vault integration when Key Vault is set to only allow private endpoints and select networks access. 对专用网络和特定网络的支持仍在准备阶段,目的是将 Key Vault 与应用程序网关完全集成。Support for private and select networks is in the works for full integration of Key Vault with Application Gateway.

    备注

    如果通过 ARM 模板来部署应用程序网关(不管是使用 Azure CLI 还是使用 PowerShell),或通过从 Azure 门户部署的 Azure 应用程序来执行此操作,则 SSL 证书将以 base64 编码的 PFX 文件形式存储在密钥保管库中。If you deploy the application gateway via an ARM template, either by using the Azure CLI or PowerShell, or via an Azure application deployed from the Azure portal, the SSL certificate is stored in the key vault as a base64-encoded PFX file. 必须完成在部署过程中使用 Azure Key Vault 传递安全参数值中的步骤。You must complete the steps in Use Azure Key Vault to pass secure parameter value during deployment.

    enabledForTemplateDeployment 设置为 true 尤其重要。It's particularly important to set enabledForTemplateDeployment to true. 此证书可能无密码,也可能有密码。The certificate may be passwordless or it may have a password. 对于具有密码的证书,以下示例显示了应用网关 ARM 模板配置的 propertiessslCertificates 条目的可能配置。In the case of a certificate with a password, the following example shows a possible configuration for the sslCertificates entry in the properties for the ARM template configuration for an app gateway. appGatewaySSLCertificateDataappGatewaySSLCertificatePassword 的值可从密钥保管库中查找,如通过动态 ID 引用机密部分所述。The values of appGatewaySSLCertificateData and appGatewaySSLCertificatePassword are looked up from the key vault as described in the section Reference secrets with dynamic ID. 请遵循 parameters('secretName') 中的后向引用,了解查找方法。Follow the references backward from parameters('secretName') to see how the lookup happens. 如果证书无密码,请省略 password 条目。If the certificate is passwordless, omit the password entry.

    "sslCertificates": [
        {
            "name": "appGwSslCertificate",
            "properties": {
                "data": "[parameters('appGatewaySSLCertificateData')]",
                "password": "[parameters('appGatewaySSLCertificatePassword')]"
            }
        }
    ]
    
  3. 配置应用程序网关Configure the application gateway

    在完成前面的两个步骤以后,即可设置或修改现有的应用程序网关,以便使用用户分配的托管标识。After you complete the two preceding steps, you can set up or modify an existing application gateway to use the user-assigned managed identity. 你还可以配置 HTTP 侦听器的 TLS/SSL 证书,使之指向 Key Vault 证书或机密 ID 的完整 URI。You can also configure the HTTP listener’s TLS/SSL certificate to point to the complete URI of the Key Vault certificate or secret ID.

    密钥保管库证书

后续步骤Next steps

通过 Azure PowerShell 配置使用 Key Vault 证书的 TLS 终止Configure TLS termination with Key Vault certificates by using Azure PowerShell