on
20-Oct-2022
09:00
- edited on
13-Jan-2023
13:11
by
Jeff_Giroux_F5
Welcome back to our series on F5 NGINXaaS for Azure! Last time we set up basic load balancing using NGINXaaS for Azure. Today, we’re going to look at using Azure Key Vault to manage the keys for TLS offloading.
Much like how NGINXaaS for Azure takes care of managing the underlying infrastructure to run NGINX Plus instances, Azure Key Vault manages key storage, including secure Hardware Security Modules (HSMs), to keep sensitive cryptographic material secure and away from prying eyes. NGINXaaS for Azure integrates with Azure Key Vault to manage your TLS keys in a secure manner.
We’ll pick up where we left off from our previous article; we’ve configured an NGINXaaS for Azure instance, and we have it load balancing to a pool of backend servers.
To use Azure Key Vault, we need to be able to authorize our NGINX instance access the appropriate key material. We do this with a Managed Identity (MI). To create the identity:
We then need to ensure that our MI has the correct permissions to use the vault. Our vault uses Access Policies rather than RBAC, so our process is:
If you are using RBAC, the process is similar but you need give your MI the “Key Vault Secrets User” or higher role in the vault’s IAM menu.
Now that we have our vault access set up, we can assign our Managed Identity to our NGINX instance and use a certificate from that vault in our NGINX config. Like last time, I won’t be screenshotting every click, but full documentation is available at the official NGINX docs.
Now to configure the certificate:
From here it’s just like configuring TLS offload on any NGINX instance. Listen on 443, and specify the ssl_certificate and ssl_certificate_key paths we created above.
Now let’s test it out: I got the red lock here because I used a self-signed certificate, but the fingerprint matches what’s in Azure Key Vault.
While we could have just uploaded our certificate and key with the configuration set, that archive would then contain sensitive key material, and needs to be protected. Using NGINXaaS for Azure with Azure Key Vault provides a secure way to manage your TLS secrets. Stay tuned to learn more advanced features of NGINXaaS for Azure.