Table of contents
Topics on this page

TLS Requirements for Azure

For the Azure platform, a TLS inspection policy requires:

  • Access to Azure Active Directory (AD). Be sure to also associate your Azure subscription to your Azure AD. To enable your virtual appliance to authenticate to Azure AD, create a managed identity and assign a role to the new identity. Learn more about managed identities.
  • Access to the Azure Key Vault. Your appliance must be authenticated and authorized in order to access server certificates and private keys from Azure Key Vault.
  • Authentication: Create a system-assigned or user-assigned Managed Identity on the appliance. This enables your appliance to authenticate to Azure Key Vault using Azure AD, which avoids storing any credentials in code.
  • Authorization: Configure your appliance to have the required permissions to access certificates and secrets (Azure Key Vault stores private keys as secrets). For optimal security, configure only the minimum required permissions. From your Azure Dashboard, navigate to YourKeyVault > Settings > Access Policies > Permission model and select one of the following models to configure permissions:
    • Vault access policy: Determines which types of Azure Key Vault operations your appliance can perform on secrets, keys, and certificates. To access the webserver certificate, the virtual appliance requires List and Get certificate permissions. To access the webserver's private key, the virtual appliance requires the GET secret permission. Remember to save your configurations. Learn more.
    • Azure role-based access control (RBAC): Provides fine-grained permissions on different scope levels (subscription, resource group, or individual resources). The Azure RBAC model provides more granularity in defining the scope of the permissions. Learn more.
  • Access to private keys: When a certificate is created or imported to the Azure Key Vault, configure the certificate policy to be exportable so that you appliance can also access private keys associated with the certificate.

  • Server to be proxied, and access to its private key. Although you can configure multiple proxies for TLS inspection, only one proxy can be configured at a time. To add the server, go to the Network > Appliances > appliancename page.

  • Network Security virtual appliances. Although you can configure multiple appliances for TLS inspection, only one appliance can be configured at a time. The appliance must have a minimum version of 2021.8.0.11159.
    TLS inspection is now supported for appliances that belong to scaling groups or scale sets as well as appliances with an Azure Internal Load Balancer (ILB), but you must distribute the TLS policy to each appliance in the scale set. Network Security virtual appliances do not support auto-scaling.
  • A single server with a protected IP address, or a CIDR for servers running behind a load balancer. For example, 192.0.2.0 or, if you use a CIDR, 198.51.100.0/24. A subnet can range from 8 to 32. To get the server's IP, refer to Retrieve private IP address information for a VM.
  • Server’s public certificate. You can enable access through Azure Key Vault.