NGINXaaS for Azure: Azure Key Vault

Welcome back to our series on F5 NGINXaaS for Azure! Last time we set up basic load balancing using NGINXaaS for Azure. Today, we’re going to look at using Azure Key Vault to manage the keys for TLS offloading.

Azure Key Vault

Much like how NGINXaaS for Azure takes care of managing the underlying infrastructure to run NGINX Plus instances, Azure Key Vault manages key storage, including secure Hardware Security Modules (HSMs), to keep sensitive cryptographic material secure and away from prying eyes. NGINXaaS for Azure integrates with Azure Key Vault to manage your TLS keys in a secure manner.

Getting Started

We’ll pick up where we left off from our previous article; we’ve configured an NGINXaaS for Azure instance, and we have it load balancing to a pool of backend servers.

 

NGINX for Azure Diagram

Creating a Managed Identity

To use Azure Key Vault, we need to be able to authorize our NGINX instance access the appropriate key material. We do this with a Managed Identity (MI). To create the identity:

  • Search for “Managed Identities” in the top search bar
  • Click “Create”
  • Select a resource group and region for the identity
  • Give the identity a name
  • Click “Review and Create”, then “Create”
 
Create a Managed Identity

 

 

We then need to ensure that our MI has the correct permissions to use the vault. Our vault uses Access Policies rather than RBAC, so our process is:

  • Open the  key vault and select “Access Policies” from the left-hand menu
  • Click “Create”
  • Select the “GET” Secrets permission and click “Next”
  • Select the Managed Identity for our NGINX instance as the Principal
  • Click through to finish creating the Access Policy
  •  
Azure Key Vault Access Policy

If you are using RBAC, the process is similar but you need give your MI the “Key Vault Secrets User” or higher role in the vault’s IAM menu.

Configure NGINX

Now that we have our vault access set up, we can assign our Managed Identity to our NGINX instance and use a certificate from that vault in our NGINX config. Like last time, I won’t be screenshotting every click, but full documentation is available at the official NGINX docs.

  • From your NGINX instance, click “Identity” from the left-hand menu
  • Click “Add
  • Select the Managed Identity, and click “Add”
 
Add User Assigned MI

Now to configure the certificate:

  • Click “NGINX Certificates” from the left-hand menu
  • Click “Add Certificate”
  • Give the certificate a name
  • Specify the path to where your NGINX config will find the certificate and key
  • Select the key vault and certificate that you wish to use
  • Click “Save”
 
Add Certificate to NGINX Instance

From here it’s just like configuring TLS offload on any NGINX instance. Listen on 443, and specify the ssl_certificate and ssl_certificate_key paths we created above.

 

NGINX TLS configuration

Now let’s test it out: I got the red lock here because I used a self-signed certificate, but the fingerprint matches what’s in Azure Key Vault.

 

TLS Browsing Result

 

TLS Certificate

Summary

While we could have just uploaded our certificate and key with the configuration set, that archive would then contain sensitive key material, and needs to be protected. Using NGINXaaS for Azure with Azure Key Vault provides a secure way to manage your TLS secrets. Stay tuned to learn more advanced features of NGINXaaS for Azure.

References

Azure Key Vault

Updated Mar 19, 2024
Version 4.0
No CommentsBe the first to comment