architecture-center icon indicating copy to clipboard operation
architecture-center copied to clipboard

Published 20 hours ago verified publisher icon MicrosoftDocs

Is mTLS between app gateway and APIM possible?

Open ronaldbosma opened this issue 4 months ago • 3 comments

The architecture diagram suggests that an mTLS connection between the app gateway and APIM is possible (point 5). However, according to this FAQ it is not.

Can you provide insights into which documentation is correct? And if an mTLS connection to a backend is possible, how would this be configured in the app gateway backend pool/backend http settings?

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

ronaldbosma avatar Feb 15 '24 06:02 ronaldbosma

@ronaldbosma Thanks for your feedback! We will investigate and update as appropriate.

Naveenommi-MSFT avatar Feb 15 '24 15:02 Naveenommi-MSFT

@ronaldbosma Could you please share your requirement. Are you looking for mTLS APIM, Application Gateway with AKS or just Application Gateway with other endpoints.

saswatmohanty01 avatar Feb 29 '24 18:02 saswatmohanty01

I'm assuming that the image on Deploy AKS and API Management with mTLS uses the 'normal' version of the Azure Application Gateway and not the recently released Application Gateway for Containers version, because that resource has a different icon.

The architecture image suggests that communication from the application gateway to API Management is possible using mTLS. See the highlighted part below.

image.

According to the application gateway FAQ, communicatie to backends (in our case APIM) using mTLS is not possible.

I'm assuming that the image on Deploy AKS and API Management with mTLS is incorrect and should be fixed.

As for my client situation. We have the Azure Application Gateway and it routes traffic to Azure API Management as the backend. I known that both Azure Application Gateway and Azure API Management support mTLS on incoming traffic. We were looking into also using mTLS for traffic coming for the Azure Application Gateway going to API Management, but as mentioned before, this does not seem possible.

One of my colleagues saw the picture on Deploy AKS and API Management with mTLS. Because of that, he wasn't convinced that mTLS from Azure Application Gateway to API Management is not possible.

ronaldbosma avatar Mar 01 '24 10:03 ronaldbosma