Blog Post

Apps on Azure Blog
2 MIN READ

End-to-end (E2E) TLS Encryption (Preview) on Linux Multi-Tenant App Service Resources

YutangLin's avatar
YutangLin
Icon for Microsoft rankMicrosoft
Nov 08, 2023
End-to-end (E2E) TLS encryption for intra-cluster traffic between App Service front-ends and workers is now in Preview for Linux resources on Standard App Service Plans and above.     To better u...
Updated Nov 08, 2023
Version 3.0
application modernization
azure app service
azure functions
azure logic apps
azure paas
modern apps
updates
web apps
crosenblatt's avatar
crosenblatt
Icon for Microsoft rankMicrosoft
Feb 02, 2024

Alexliard , the way it works is that when e2e TLS is enabled traffic is encrypted whenever it's "on the wire" between VMs. To give you a high level, traditionally TLS is negotiated only between the client and App Service load balancers. Then the load balancers proxy plain-text traffic to the backend workers. With e2e TLS, the load balancer => worker traffic is encrypted with TLS. However, when the request arrives on your worker, it does not go directly to your app but rather to another reverse proxy which forwards to your app (hosted on the same VM). This final hop is still plain text because it is no longer going off the box. The benefit is you get all the benefits of e2e TLS but still do not need to manage certificates, etc. Makes sense?