Blog Post

Apps on Azure Blog
2 MIN READ

End-to-end (E2E) TLS Encryption (Preview) on Linux Multi-Tenant App Service Resources

YutangLin's avatar
YutangLin
Icon for Microsoft rankMicrosoft
Nov 08, 2023

End-to-end (E2E) TLS encryption for intra-cluster traffic between App Service front-ends and workers is now in Preview for Linux resources on Standard App Service Plans and above.  

 

To better understand the importance of this feature, it would be helpful to understand the current set-up on App Service and how incoming traffic and intra-clusters traffic are handled. Incoming requests to App Service could always be secured with TLS encryption on both multi-tenant and App Service Environments (ASE). However, these incoming HTTPS requests would have TLS terminated on our front-ends and continue as HTTP to the workers running the application workloads. For a few years now, applications running on ASE have had the option to configure and to enable E2E TLS encryption intra-clusters, though this was not an option for the rest of App Service applications running on multi-tenants. 

 

We are excited to announce that with the newest E2E TLS encryption feature, applications running on multi-tenant can also now configure similar intra-cluster TLS encryption set-up which was once only possible on ASE. This means that developers now have the capability to configure multi-tenant applications to encrypt intra-cluster traffic between App Service front-ends and workers running application workloads, thus not have TLS terminated on the front-ends. 

 

What is the default behavior? 

By default, all App Service resources will have their TLS encryption terminated in the front-end. If you would like to enable E2E encryption feature, you just need to update your site property without any additional changes to your application code.  

 

How to enable E2E encryption 

You can configure E2E encryption via ARM or API; Azure portal and CLI experience is currently not yet supported.  

 

Sample API call 

To configure the E2E encryption for your resource on App Service, you will need to update the site property “endToEndEncryptionEnabled”. Refer to the sample API call below. 

 

 

 

 

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}?api-version=2022-03-01 
{ 
    "location": "<region>", 
    "properties": { 
        "endToEndEncryptionEnabled": true 
    } 
} 

 

 

 

 

After successfully configuring your web app to enable E2E encryption, the network traffic between the front-ends and the workers will now be secured with TLS. 

 

What’s next? 

This feature is currently only supported for Linux resources on Standard App Service Plans and above, however, some time early 2024, we will be rolling out support for Windows resources on Standard App Service Plans and above.

Updated Nov 08, 2023
Version 3.0