Much like how NGINXaaS for Azure takes care of managing the underlying infrastructure to run NGINX Plus instances, Azure Key Vault manages key storage, including secure Hardware Security Modules (HSMs), to keep sensitive cryptographic material secure and away from prying eyes. NGINXaaS for Azure integrates with Azure Key Vault to manage your TLS keys in a secure manner.
We’ll pick up where we left off from our previous article; we’ve configured an NGINXaaS for Azure instance, and we have it load balancing to a pool of backend servers.
NGINX for Azure Diagram
Creating a Managed Identity
To use Azure Key Vault, we need to be able to authorize our NGINX instance access the appropriate key material. We do this with a Managed Identity (MI). To create the identity:
Search for “Managed Identities” in the top search bar
Select a resource group and region for the identity
Give the identity a name
Click “Review and Create”, then “Create”
Create a Managed Identity
We then need to ensure that our MI has the correct permissions to use the vault. Our vault uses Access Policies rather than RBAC, so our process is:
Open the key vault and select “Access Policies” from the left-hand menu
Select the “GET” Secrets permission and click “Next”
Select the Managed Identity for our NGINX instance as the Principal
Click through to finish creating the Access Policy
Azure Key Vault Access Policy
If you are using RBAC, the process is similar but you need give your MI the “Key Vault Secrets User” or higher role in the vault’s IAM menu.
Now that we have our vault access set up, we can assign our Managed Identity to our NGINX instance and use a certificate from that vault in our NGINX config. Like last time, I won’t be screenshotting every click, but full documentation is available at the official NGINX docs.
From your NGINX instance, click “Identity” from the left-hand menu
Select the Managed Identity, and click “Add”
Add User Assigned MI
Now to configure the certificate:
Click “NGINX Certificates” from the left-hand menu
Click “Add Certificate”
Give the certificate a name
Specify the path to where your NGINX config will find the certificate and key
Select the key vault and certificate that you wish to use
Add Certificate to NGINX Instance
From here it’s just like configuring TLS offload on any NGINX instance. Listen on 443, and specify the ssl_certificate and ssl_certificate_key paths we created above.
NGINX TLS configuration
Now let’s test it out: I got the red lock here because I used a self-signed certificate, but the fingerprint matches what’s in Azure Key Vault.
TLS Browsing Result
While we could have just uploaded our certificate and key with the configuration set, that archive would then contain sensitive key material, and needs to be protected. Using NGINXaaS for Azure with Azure Key Vault provides a secure way to manage your TLS secrets. Stay tuned to learn more advanced features of NGINXaaS for Azure.