使用 Key Vault 证书进行 TLS 终止TLS termination with Key Vault certificates

Azure Key Vault 是平台托管的机密存储,可以用来保证机密、密钥和 TLS/SSL 证书的安全。Azure Key Vault is a platform-managed secret store that you can use to safeguard secrets, keys, and TLS/SSL certificates. Azure 应用程序网关支持与密钥保管库集成,以存储附加到支持 HTTPS 的侦听器的服务器证书。Azure Application Gateway supports integration with Key Vault for server certificates that are attached to HTTPS-enabled listeners. 此支持仅限 v2 SKU 版应用程序网关。This support is limited to the v2 SKU of Application Gateway.

Key Vault 集成提供了两种用于 TLS 终止的模型:Key Vault integration offers two models for TLS termination:

  • 你可以显式提供附加到侦听器的 TLS/SSL 证书。You can explicitly provide TLS/SSL certificates attached to the listener. 此模型是将 TLS/SSL 证书传递到应用程序网关进行 TLS 终止的传统方式。This model is the traditional way to pass TLS/SSL certificates to Application Gateway for TLS termination.
  • 可以选择在创建支持 HTTPS 的侦听器时提供对现有 Key Vault 证书或机密的引用。You can optionally provide a reference to an existing Key Vault certificate or secret when you create an HTTPS-enabled listener.

应用程序网关与 Key Vault 集成具有许多优势,其中包括:Application Gateway integration with Key Vault offers many benefits, including:

  • 更高的安全性,因为 TLS/SSL 证书不直接由应用程序开发团队处理。Stronger security, because TLS/SSL certificates aren't directly handled by the application development team. 集成允许独立的安全团队执行以下操作:Integration allows a separate security team to:
    • 设置应用程序网关。Set up application gateways.
    • 控制应用程序网关生命周期。Control application gateway lifecycles.
    • 授权选定的应用程序网关访问存储在密钥保管库中的证书。Grant permissions to selected application gateways to access certificates that are stored in your key vault.
  • 支持将现有证书导入密钥保管库中。Support for importing existing certificates into your key vault. 或者使用 Key Vault API 与任何受信任的 Key Vault 合作伙伴一起创建并管理新证书。Or use Key Vault APIs to create and manage new certificates with any of the trusted Key Vault partners.
  • 支持自动续订存储在密钥保管库中的证书。Support for automatic renewal of certificates that are stored in your key vault.

应用程序网关目前仅支持经软件验证的证书。Application Gateway currently supports software-validated certificates only. 不支持硬件安全模块 (HSM) 验证的证书。Hardware security module (HSM)-validated certificates are not supported. 在应用程序网关在配置为使用 Key Vault 证书以后,其实例会从 Key Vault 检索证书并将其安装到本地进行 TLS 终止。After Application Gateway is configured to use Key Vault certificates, its instances retrieve the certificate from Key Vault and install them locally for TLS termination. 实例还按 4 小时的时间间隔轮询 Key Vault,以便检索证书的续订版本(如果存在)。The instances also poll Key Vault at 4-hour intervals to retrieve a renewed version of the certificate, if it exists. 如果发现了更新的证书,则目前与 HTTPS 侦听器关联的 TLS/SSL 证书会自动轮换。If an updated certificate is found, the TLS/SSL certificate currently associated with the HTTPS listener is automatically rotated.

备注

Azure 门户仅支持 KeyVault 证书,而不支持机密。The Azure portal only supports KeyVault Certificates, not secrets. 应用程序网关仍支持从 KeyVault 引用机密,而只能通过 PowerShell、CLI、API、ARM 模板等非门户资源进行引用。Application Gateway still supports referencing secrets from KeyVault, but only through non-Portal resources like PowerShell, CLI, API, ARM templates, etc.

集成工作原理How integration works

应用程序网关与 Key Vault 集成需要一个三步配置过程:Application Gateway integration with Key Vault requires a three-step configuration process:

  1. 创建用户分配的托管标识Create a user-assigned managed identity

    你创建或重用现有的用户分配的托管标识,供应用程序网关用来代表你从 Key Vault 检索证书。You create or reuse an existing user-assigned managed identity, which Application Gateway uses to retrieve certificates from Key Vault on your behalf. 有关详细信息,请参阅使用 Azure 门户创建、列出、删除用户分配的托管标识或为其分配角色For more information, see Create, list, delete, or assign a role to a user-assigned managed identity using the Azure portal. 这一步在 Azure Active Directory 租户中创建新标识。This step creates a new identity in the Azure Active Directory tenant. 此标识受那个用来创建标识的订阅的信任。The identity is trusted by the subscription that's used to create the identity.

  2. 配置密钥保管库Configure your key vault

    然后导入现有的证书,或者在密钥保管库中创建新证书。You then either import an existing certificate or create a new one in your key vault. 此证书将供通过应用程序网关的应用程序使用。The certificate will be used by applications that run through the application gateway. 在这一步中,也可以使用 Key Vault 机密,该机密也允许存储无密码的、采用 Base-64 编码的 PFX 文件。In this step, you can also use a Key Vault Secret which also allows storing a password-less, base-64 encoded PFX file. 建议使用“证书”类型,因为 Key Vault 中这种类型的对象具有自动续订功能。We recommend using a “Certificate” type because of the autorenewal capability that's available with this type of objects in the Key Vault. 在创建了证书或机密后,必须在 Key Vault 中定义访问策略,以允许为标识授予对机密的“获取”访问权限。After you've created a Certificate or a Secret, you must define Access Policies in the Key Vault to allow the identity to be granted get access to the secret.

    重要

    从 2021 年 3 月 15 日起,Key Vault 将 Azure 应用程序网关视为受信任的服务之一,因此你可以在 Azure 中构建安全的网络边界。Starting March 15th 2021, Key Vault recognizes Azure Application Gateway as one of the Trusted Services, thus allowing you to build a secure network boundary in Azure. 这样,你就能够拒绝应用程序访问从所有网络发往 Key Vault 的流量(包括 Internet 流量),但仍允许你的订阅下的应用程序网关资源进行访问。This gives you an ability to deny access to traffic from all networks (including internet traffic) to Key Vault but still make it accessible for Application Gateway resource under your subscription.

    可以按以下方式在 Key Vault 的受限网络中配置应用程序网关。You can configure your Application Gateway in a restricted network of Key Vault in the following manner.
    a) 在 Key Vault 的“网络”边栏选项卡下a) Under Key Vault’s Networking blade
    b) 在“防火墙和虚拟网络”选项卡中选择“专用终结点”和所选网络b) choose Private endpoint and selected networks in "Firewall and Virtual Networks" tab
    c) 然后使用“虚拟网络”,添加应用程序网关的虚拟网络和子网。c) then using Virtual Networks, add your Application Gateway’s virtual network and Subnet. 在此过程中,还要选中“Microsoft.KeyVault”服务终结点的复选框,以配置该终结点。During the process also configure ‘Microsoft.KeyVault' service endpoint by selecting its checkbox.
    d) 最后,选择“是”,以允许受信任的服务绕过 Key Vault 的防火墙。d) Finally, select “Yes” to allow Trusted Services to bypass Key Vault’s firewall.

    Key Vault 防火墙

    备注

    如果通过 ARM 模板来部署应用程序网关(不管是使用 Azure CLI 还是使用 PowerShell),或通过从 Azure 门户部署的 Azure 应用程序来执行此操作,则 SSL 证书将以 base64 编码的 PFX 文件形式存储在密钥保管库中。If you deploy the application gateway via an ARM template, either by using the Azure CLI or PowerShell, or via an Azure application deployed from the Azure portal, the SSL certificate is stored in the key vault as a base64-encoded PFX file. 必须完成在部署过程中使用 Azure Key Vault 传递安全参数值中的步骤。You must complete the steps in Use Azure Key Vault to pass secure parameter value during deployment.

    enabledForTemplateDeployment 设置为 true 尤其重要。It's particularly important to set enabledForTemplateDeployment to true. 此证书可能无密码,也可能有密码。The certificate may be passwordless or it may have a password. 对于具有密码的证书,以下示例显示了应用网关 ARM 模板配置的 propertiessslCertificates 条目的可能配置。In the case of a certificate with a password, the following example shows a possible configuration for the sslCertificates entry in the properties for the ARM template configuration for an app gateway. appGatewaySSLCertificateDataappGatewaySSLCertificatePassword 的值可从密钥保管库中查找,如通过动态 ID 引用机密部分所述。The values of appGatewaySSLCertificateData and appGatewaySSLCertificatePassword are looked up from the key vault as described in the section Reference secrets with dynamic ID. 请遵循 parameters('secretName') 中的后向引用,了解查找方法。Follow the references backward from parameters('secretName') to see how the lookup happens. 如果证书无密码,请省略 password 条目。If the certificate is passwordless, omit the password entry.

    "sslCertificates": [
        {
            "name": "appGwSslCertificate",
            "properties": {
                "data": "[parameters('appGatewaySSLCertificateData')]",
                "password": "[parameters('appGatewaySSLCertificatePassword')]"
            }
        }
    ]
    
  3. 配置应用程序网关Configure the application gateway

    在完成前面的两个步骤以后,即可设置或修改现有的应用程序网关,以便使用用户分配的托管标识。After you complete the two preceding steps, you can set up or modify an existing application gateway to use the user-assigned managed identity. 有关详细信息,请参阅 Set-AzApplicationGatewayIdentityFor more information see, Set-AzApplicationGatewayIdentity.

    你还可以配置 HTTP 侦听器的 TLS/SSL 证书,使之指向 Key Vault 证书或机密 ID 的完整 URI。You can also configure the HTTP listener’s TLS/SSL certificate to point to the complete URI of the Key Vault certificate or secret ID.

    密钥保管库证书

后续步骤Next steps

通过 Azure PowerShell 配置使用 Key Vault 证书的 TLS 终止Configure TLS termination with Key Vault certificates by using Azure PowerShell