应用程序网关的 TLS 终止和端到端 TLS 概述Overview of TLS termination and end to end TLS with Application Gateway

传输层安全性 (TLS)(前称为安全套接字层 (SSL))是用于在 Web 服务器与浏览器之间建立加密链接的标准安全技术。Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), is the standard security technology for establishing an encrypted link between a web server and a browser. 此链接可确保在 Web 服务器与浏览器之间传递的所有数据都会得到保密和加密。This link ensures that all data passed between the web server and browsers remain private and encrypted. 应用程序网关支持网关上的 TLS 终止以及端到端 TLS 加密。Application gateway supports both TLS termination at the gateway as well as end to end TLS encryption.

TLS 终止TLS termination

应用程序网关支持在网关上终止 TLS,之后,流量通常会以未加密状态流到后端服务器。Application Gateway supports TLS termination at the gateway, after which traffic typically flows unencrypted to the backend servers. 在应用程序网关上执行 TLS 终止可以带来诸多优势:There are a number of advantages of doing TLS termination at the application gateway:

  • 提高性能 - 执行 TLS 解密时,初次握手最容易造成性能下降。Improved performance - The biggest performance hit when doing TLS decryption is the initial handshake. 为了提高性能,执行解密的服务器会缓存 TLS 会话 ID 并管理 TLS 会话票证。To improve performance, the server doing the decryption caches TLS session IDs and manages TLS session tickets. 如果此操作是在应用程序网关上执行的,则来自同一个客户端的所有请求都可以使用缓存的值。If this is done at the application gateway, all requests from the same client can use the cached values. 如果此操作是在后端服务器上执行的,则每当客户端的请求转到另一台服务器时,客户端都必须重新进行身份验证。If it’s done on the backend servers, then each time the client’s requests go to a different server the client must re‑authenticate. 使用 TLS 票证有助于缓解此问题,但并非所有客户端都支持 TLS 票证,并且配置和管理这些票证可能有难度。The use of TLS tickets can help mitigate this issue, but they are not supported by all clients and can be difficult to configure and manage.
  • 更好地利用后端服务器 - SSL/TLS 处理会消耗大量的 CPU 资源,随着密钥大小不断地增大,其消耗的资源会越来越多。Better utilization of the backend servers - SSL/TLS processing is very CPU intensive, and is becoming more intensive as key sizes increase. 从后端服务器中消除此任务可使它们专注于以最有效的方式提供内容。Removing this work from the backend servers allows them to focus on what they are most efficient at, delivering content.
  • 智能路由 - 解密流量后,应用程序网关便可以访问标头、URI 等请求内容,并可以使用此数据来路由请求。Intelligent routing - By decrypting the traffic, the application gateway has access to the request content, such as headers, URI, and so on, and can use this data to route requests.
  • 证书管理 - 只需在应用程序网关上购买并安装证书,所有后端服务器不需要证书。Certificate management - Certificates only need to be purchased and installed on the application gateway and not all backend servers. 这可以节省时间和开支。This saves both time and money.

若要配置 TLS 终止,需将一个 TLS/SSL 证书添加到侦听器,使应用程序网关能够根据 TLS/SSL 协议规范派生对称密钥。To configure TLS termination, a TLS/SSL certificate is required to be added to the listener to enable the application gateway to derive a symmetric key as per TLS/SSL protocol specification. 然后,可以使用该对称密钥来加密和解密发送到网关的流量。The symmetric key is then used to encrypt and decrypt the traffic sent to the gateway. TLS/SSL 证书需采用个人信息交换 (PFX) 格式。The TLS/SSL certificate needs to be in Personal Information Exchange (PFX) format. 此文件格式适用于导出私钥,后者是应用程序网关对流量进行加解密所必需的。This file format allows you to export the private key that is required by the application gateway to perform the encryption and decryption of traffic.


请注意,侦听器上的证书要求上传整个证书链。Please note that the certificate on the listener requires the entire certificate chain to be uploaded.


应用程序网关不会提供任何用于创建新证书,或者将证书请求发送到证书颁发机构的功能。Application gateway does not provide any capability to create a new certificate or send a certificate request to a certification authority.

若要建立 TLS 连接,需要确保 TLS/SSL 证书符合以下条件:For the TLS connection to work, you need to ensure that the TLS/SSL certificate meets the following conditions:

  • 当前日期和时间处于证书上的“Valid from”(有效起始日期)和“Valid to”(有效结束日期)日期范围内。That the current date and time is within the "Valid from" and "Valid to" date range on the certificate.
  • 证书的“公用名”(CN) 与请求中的主机标头相匹配。That the certificate's "Common Name" (CN) matches the host header in the request. 例如,如果客户端正在向 https://www.contoso.com/ 发出请求,则 CN 必须是 www.contoso.comFor example, if the client is making a request to https://www.contoso.com/, then the CN must be www.contoso.com.

支持用于 TLS 终止的证书Certificates supported for TLS termination

应用程序网关支持以下类型的证书:Application gateway supports the following types of certificates:

  • CA(证书颁发机构)证书:CA 证书是证书颁发机构 (CA) 颁发的数字证书CA (Certificate Authority) certificate: A CA certificate is a digital certificate issued by a certificate authority (CA)
  • EV(扩展验证)证书:EV 证书是符合行业标准证书准则的证书。EV (Extended Validation) certificate: An EV certificate is a certificate that conforms to industry standard certificate guidelines. 使用此类证书会使浏览器地址栏变为绿色,并发布公司名称。This will turn the browser locator bar green and publish the company name as well.
  • 通配符证书:此证书支持任意数量的基于 *.site.com 的子域(其中的 * 需替换为你的子域)。Wildcard Certificate: This certificate supports any number of subdomains based on *.site.com, where your subdomain would replace the *. 但是,它不支持 site.com,因此,如果用户在不键入前导“www”的情况下访问你的网站,则通配符证书不会反映这一点。It doesn’t, however, support site.com, so in case the users are accessing your website without typing the leading "www", the wildcard certificate will not cover that.
  • 自签名证书:客户端浏览器不信任这些证书,并且会警告用户,指出虚拟服务的证书不是信任链的一部分。Self-Signed certificates: Client browsers do not trust these certificates and will warn the user that the virtual service’s certificate is not part of a trust chain. 自签名证书适合用于测试,或者管理员会在其中控制客户端并且可以安全绕过浏览器安全警报的环境。Self-signed certificates are good for testing or environments where administrators control the clients and can safely bypass the browser’s security alerts. 切勿将自签名证书用于生产工作负荷。Production workloads should never use self-signed certificates.

有关详细信息,请参阅配置应用程序网关的 TLS 终止For more information, see configure TLS termination with application gateway.

证书大小Size of the certificate

查看应用程序网关限制部分,了解支持的最大 TLS/SSL 证书大小。Check the Application Gateway limits section to know the maximum TLS/SSL certificate size supported.

端到端 TLS 加密End to end TLS encryption

某些客户可能不希望与后端服务器进行未加密的通信。Some customers may not desire unencrypted communication to the backend servers. 这可能是因为安全要求、符合性要求,或者应用程序可能仅接受安全连接。This could be due to security requirements, compliance requirements, or the application may only accept a secure connection. 对于此类应用程序,应用程序网关支持端到端 TLS 加密。For such applications, application gateway supports end to end TLS encryption.

端到端 TLS 允许安全地将敏感数据以加密方式传输到后端,同时仍可利用应用程序网关提供的第 7 层负载均衡功能的好处。End to end TLS allows you to securely transmit sensitive data to the backend encrypted while still taking advantage of the benefits of Layer 7 load-balancing features which application gateway provides. 部分功能包括:基于 Cookie 的会话相关性、基于 URL 的路由、基于站点的路由支持,或注入 X-Forwarded-* 标头。Some of these features are cookie-based session affinity, URL-based routing, support for routing based on sites, or ability to inject X-Forwarded-* headers.

如果配置为端到端 TLS 通信模式,应用程序网关会在网关上终止 TLS 会话,并解密用户流量。When configured with end to end TLS communication mode, application gateway terminates the TLS sessions at the gateway and decrypts user traffic. 然后,它会应用配置的规则,以选择要将流量路由到的适当后端池实例。It then applies the configured rules to select an appropriate backend pool instance to route traffic to. 应用程序网关接下来会初始化到后端服务器的新 TLS 连接,并先使用后端服务器的公钥证书重新加密数据,此后再将请求传输到后端。Application gateway then initiates a new TLS connection to the backend server and re-encrypts data using the backend server's public key certificate before transmitting the request to the backend. 来自 Web 服务器的任何响应都会经历相同的过程返回最终用户。Any response from the web server goes through the same process back to the end user. 若要启用端到端 TLS,可将后端 HTTP 设置中的协议设置为 HTTPS,此设置随后将应用到后端池。End to end TLS is enabled by setting protocol setting in Backend HTTP Setting to HTTPS, which is then applied to a backend pool.

TLS 策略会应用到前端和后端流量。The TLS policy applies to both frontend and backend traffic. 在前端上,应用程序网关充当服务器并强制实施该策略。On the front end, Application Gateway acts as the server and enforces the policy. 在后端,应用程序网关充当客户端,并在 TLS 握手期间将协议/密码信息作为首选项发送。On the backend, Application Gateway acts as the client and sends the protocol/cipher information as the preference during the TLS handshake.

应用程序网关只会与下面所述的后端实例通信:已将其证书加入应用程序网关的允许列表,或者其证书已由已知的 CA 颁发机构签名,并且证书 CN 与 HTTP 后端设置中的主机名匹配。Application gateway only communicates with those backend instances that have either whitelisted their certificate with the application gateway or whose certificates are signed by well known CA authorities where the certificate CN matches the host name in the HTTP backend settings. 这些实例包括受信任的 Azure 服务,例如 Azure 应用服务 Web 应用和 Azure API 管理。These include the trusted Azure services such as Azure App service web apps and Azure API Management.

如果后端池成员的证书未由已知 CA 颁发机构签名,则必须为后端池中已启用端到端 TLS 的每个实例配置一个证书,这样才能进行安全通信。If the certificates of the members in the backend pool are not signed by well known CA authorities, then each instance in the backend pool with end to end TLS enabled must be configured with a certificate to allow secure communication. 添加证书后,可确保应用程序网关仅与已知后端实例通信。Adding the certificate ensures that the application gateway only communicates with known back-end instances. 从而进一步保护端到端通信。This further secures the end-to-end communication.


Azure 应用服务 Web 应用和 Azure API 管理等受信任的 Azure 服务不需要身份验证证书设置。Authentication certificate setup is not required for trusted Azure services such as Azure App service web apps and Azure API Management.


添加到“后端 HTTP 设置”中用于对后端服务器进行身份验证的证书可以是添加到侦听器的用于在应用程序网关上实现 TLS 终止的同一个证书;为了增强安全性,也可以要求两者不同 。The certificate added to Backend HTTP Setting to authenticate the backend servers can be the same as the certificate added to the listener for TLS termination at application gateway or different for enhanced security.

端到端 TLS 方案

此示例通过端到端 TLS 将使用 TLS1.2 的请求路由到 Pool1 中的后端服务器。In this example, requests using TLS1.2 are routed to backend servers in Pool1 using end to end TLS.

端到端 TLS 和证书允许列表End to end TLS and whitelisting of certificates

应用程序网关只会与已知的后端实例通信,这些实例已将其证书加入应用程序网关的允许列表。Application gateway only communicates with known backend instances that have whitelisted their certificate with the application gateway. 要启用证书允许列表,必须将后端服务器证书(不是根证书)的公钥上传到应用程序网关。To enable whitelisting of certificates, you must upload the public key of backend server certificates to the application gateway (not the root certificate). 只允许连接到已知的和列入允许列表的后端。Only connections to known and whitelisted backends are then allowed. 其余后端会导致网关错误。The remaining backends results in a gateway error. 自签名证书仅用于测试目的,不建议用于生产工作负荷。Self-signed certificates are for test purposes only and not recommended for production workloads. 如前面的步骤中所述,此类证书必须加入应用程序网关的允许列表,才可以使用。Such certificates must be whitelisted with the application gateway as described in the preceding steps before they can be used.


Azure 应用服务等受信任的 Azure 服务不需要身份验证证书设置。Authentication certificate setup is not required for trusted Azure services such as Azure App Service.

端到端 TLS 与 v2 SKUEnd to end TLS with the v2 SKU

身份验证证书已弃用,并由应用程序网关 v2 SKU 中的受信任的根证书替换。Authentication Certificates have been deprecated and replaced by Trusted Root Certificates in the Application Gateway v2 SKU. 它们的功能与身份验证证书类似,但有一些主要区别:They function similarly to Authentication Certificates with a few key differences:

  • 由 CN 与 HTTP 后端设置中的主机名匹配的知名 CA 颁发机构签名的证书不需要任何额外的步骤即可使端到端 TLS 工作。Certificates signed by well known CA authorities whose CN matches the host name in the HTTP backend settings do not require any additional step for end to end TLS to work.

    例如,如果后端证书由知名 CA 颁发并具有 contoso.com 的 CN,并且后端 http 设置的主机字段也设置为 contoso.com,则不需要其他步骤。For example, if the backend certificates are issued by a well known CA and has a CN of contoso.com, and the backend http setting’s host field is also set to contoso.com, then no additional steps are required. 可以将后端 HTTP 设置协议设置为 HTTPS,则运行状况探测和数据路径都会启用 TLS。You can set the backend http setting protocol to HTTPS and both the health probe and data path would be TLS enabled. 如果使用 Azure 应用服务或其他 Azure Web 服务作为后端,则这些服务也是受隐式信任的,不需要对端到端 TLS 执行其他步骤。If you're using Azure App Service or other Azure web services as your backend, then these are implicitly trusted as well and no further steps are required for end to end TLS.


为了使 TLS/SSL 证书受信任,后端服务器的证书必须由应用程序网关的受信任存储中包含的 CA 颁发。如果证书不是由受信任 CA 颁发的,则应用程序网关会检查颁发 CA 的证书是否由受信任 CA 颁发,依此类推,直到找到受信任 CA(此时会建立受信任的安全连接),或者直到找不到受信任 CA(此时,应用程序网关会将后端标记为“运行不正常”)。In order for a TLS/SSL certificate to be trusted, that certificate of the backend server must have been issued by a CA that is included in the trusted store of the Application Gateway.If the certificate was not issued by a trusted CA, the Application Gateway will then check to see if the certificate of the issuing CA was issued by a trusted CA, and so on until either a trusted CA is found (at which point a trusted, secure connection will be established) or no trusted CA can be found (at which point the Application Gateway will mark the backend unhealthy). 因此,建议后端服务器证书同时包含根 CA 和中间 CA。Therefore, it is recommended the backend server certificate contain both the root and intermediate CAs.

  • 如果证书是自签名证书,或是由未知中介签名的证书,那么,要在 v2 SKU 中启用端到端 TLS,必须定义受信任的根证书。If the certificate is self-signed, or signed by unknown intermediaries, then to enable end to end TLS in v2 SKU a trusted root certificate must be defined. 应用程序网关仅与符合以下条件的后端进行通信:后端的服务器证书的根证书与池关联的后端 http 设置中的受信任根证书列表之一匹配。Application Gateway will only communicate with backends whose Server certificate’s root certificate matches one of the list of trusted root certificates in the backend http setting associated with the pool.


自签名证书必须是证书链的一部分。The self-signed certificate must be a part of a certificate chain. V2 SKU 不支持无链的单个自签名证书。A single self-signed certificate with no chain is not supported in V2 SKU.

  • 除了根证书匹配之外,应用程序网关还会验证后端 HTTP 设置中指定的主机设置是否与后端服务器的 TLS/SSL 证书提供的公用名 (CN) 的主机设置相匹配。In addition to root certificate match, Application Gateway also validates if the Host setting specified in the backend http setting matches that of the common name (CN) presented by the backend server’s TLS/SSL certificate. 尝试与后端建立 TLS 连接时,应用程序网关会将服务器名称指示 (SNI) 扩展设置为后端 HTTP 设置中指定的主机。When trying to establish a TLS connection to the backend, Application Gateway sets the Server Name Indication (SNI) extension to the Host specified in the backend http setting.
  • 如果已选择“从后端地址选择主机名”而不是选择后端 HTTP 设置中的主机字段,则 SNI 标头始终设置为后端池 FQDN,并且后端服务器 TLS/SSL 证书上的 CN 必须与其 FQDN 匹配。If pick hostname from backend address is chosen instead of the Host field in the backend http setting, then the SNI header is always set to the backend pool FQDN and the CN on the backend server TLS/SSL certificate must match its FQDN. 此方案不支持具有 IP 的后端池成员。Backend pool members with IPs aren't supported in this scenario.
  • 根证书是来自后端服务器证书的 base64 编码的根证书。The root certificate is a base64 encoded root certificate from the backend Server certificates.

后续步骤Next steps

了解端到端 TLS 后,请转到使用应用程序网关和 PowerShell 配置端到端 TLS,以使用端到端 TLS 创建应用程序网关。After learning about end to end TLS, go to Configure end to end TLS by using Application Gateway with PowerShell to create an application gateway using end to end TLS.