Forum Discussion
Firewall Tls Inspection With AKS
I was working with azure firewall tls inspection with Azure AKS. I deployed following test infra:-
- AKS
- Nginx Ingress Controller with internal loadbalancer.
- Cert Manager with Lets-encrypt.
- Sample Hello World application with TLS from cert manager and using ingress nginx controller.
- Azure Firewall with application, network and dnat rules.
- Dnat rules pointing to azure loadbalancer private ip.
- DNS zone with a_record pointing to public ip attached to azure firewall.
At first I didn't enabled the tls inspection and my test site was working with letsencrypt ssl certificate. But when I enabled tls inspection I should get Azure Firewall generated certificate present in key vault but I was still getting letsencrypt certificate on my site. I am not able to figure out why it is not working.
2 Replies
Please take a look at Certificate Trust, Firewall Configuration, Key Vault Integration, DNS Configuration, Application Gateway and finally Logs and Diagnostics
- Firewall Rules: Ensure that the Azure Firewall rules are correctly configured to handle TLS traffic and that the inspection policies are applied to the relevant traffic flows.
DNS and Routing: Confirm that DNS records and routing rules are correctly pointing to the Azure Firewall’s public IP, and that there are no misconfigurations causing traffic to bypass the firewall.
SSL/TLS Certificates: Verify that the Azure Firewall’s SSL/TLS inspection is properly configured and that the certificate chain is correctly set up. This includes checking if the Azure Firewall certificate is correctly placed in the Key Vault and accessible.
Application Gateway Integration: If using an internal load balancer with the Nginx Ingress Controller, make sure the integration with Azure Firewall is correctly set up to allow inspection.
Client Browser Cache: Sometimes, browsers cache certificates. Try clearing the browser cache or using a different browser to see if the issue persists.
TLS Inspection Policies: Ensure that the TLS inspection policies are correctly configured and applied in the Azure Firewall to intercept and inspect the traffic.
