Application-gateway

What Is SSL Termination?

SSL termination is a process by which SSL-encrypted data traffic is decrypted (or offloaded). Servers with a secure socket layer (SSL) connection can simultaneously handle many connections or sessions. An SSL connection sends encrypted data between an end-user’s computer and web server by using a certificate for authentication. SSL termination helps speed the decryption process and reduces the processing burden on backend servers.

How Does SSL Termination Work?

SSL termination intercepts encrypted https traffic when a server receives data from a secure socket layer (SSL) connection in an SSL session. SSL termination or SSL offloading decrypts and verifies data on the load balancer instead of the application server. Spared of having to organize incoming connections, the server can prioritize on other tasks like loading web pages. This helps increase server speed. SSL termination represents the end — or termination point — of an SSL connection.


What is SSL Termination Load Balancer?

SSL termination at load balancer is desired because decryption is resource and CPU intensive. Putting the decryption burden on the load balancer enables the server to spend processing power on application tasks, which helps improve performance. It also simplifies the management of SSL certificates.

SSLTLS
SSL stands for Secure Socket Layer.TLS stands for Transport Layer Security.
SSL (Secure Socket Layer) supports the Fortezza algorithm.TLS (Transport Layer Security) does not support the Fortezza algorithm.
SSL (Secure Socket Layer) is the 3.0 version.TLS (Transport Layer Security) is the 1.0 version.
In SSL( Secure Socket Layer), the Message digest is used to create a master secret.In TLS(Transport Layer Security), a Pseudo-random function is used to create a master secret.
In SSL( Secure Socket Layer), the Message Authentication Code protocol is used.In TLS(Transport Layer Security), Hashed Message Authentication Code protocol is used.
SSL (Secure Socket Layer) is more complex than TLS(Transport Layer Security).TLS (Transport Layer Security) is simple.
SSL (Secure Socket Layer) is less secured as compared to TLS(Transport Layer Security).TLS (Transport Layer Security) provides high security.
SSL is less reliable and slower.TLS is highly reliable and upgraded. It provides less latency.
SSL has been depreciated.TLS is still widely used.
SSL uses port to set up explicit connection.TLS uses protocol to set up implicit connection.    

TLS termination

Application Gateway supports TLS termination at the gateway, after which traffic typically flows unencrypted to the backend servers. There are a number of advantages of doing TLS termination at the application gateway:

  • Improved performance – The biggest performance hit when doing TLS decryption is the initial handshake. To improve performance, the server doing the decryption caches TLS session IDs and manages TLS session tickets. If this is done at the application gateway, all requests from the same client can use the cached values. If it’s done on the backend servers, then each time the client’s requests go to a different server the client must reauthenticate. The use of TLS tickets can help mitigate this issue, but they aren't supported by all clients and can be difficult to configure and manage.
  • Better utilization of the backend servers – SSL/TLS processing is very CPU intensive, and is becoming more intensive as key sizes increase. Removing this work from the backend servers allows them to focus on what they are most efficient at, delivering content.
  • Intelligent routing – By decrypting the traffic, the application gateway has access to the request content, such as headers, URI, and so on, and can use this data to route requests.
  • Certificate management – Certificates only need to be purchased and installed on the application gateway and not all backend servers. This saves both time and money.
To configure TLS termination, a TLS/SSL certificate must be added to the listener. This allows the Application Gateway to decrypt incoming traffic and encrypt response traffic to the client. The certificate provided to the Application Gateway must be in Personal Information Exchange (PFX) format, which contains both the private and public keys. 

For the TLS connection to work, you need to ensure that the TLS/SSL certificate meets the following conditions:

  • That the current date and time is within the "Valid from" and "Valid to" date range on the certificate.
  • That the certificate's "Common Name" (CN) matches the host header in the request. For example, if the client is making a request to https://www.contoso.com/, then the CN must be www.contoso.com.

Certificates supported for TLS termination

Application gateway supports the following types of certificates:

  • CA (Certificate Authority) certificate: A CA certificate is a digital certificate issued by a certificate authority (CA)
  • EV (Extended Validation) certificate: An EV certificate is a certificate that conforms to industry standard certificate guidelines. This will turn the browser locator bar green and publish the company name as well.
  • Wildcard Certificate: This certificate supports any number of subdomains based on *.site.com, where your subdomain would replace the *. It doesn’t, however, support site.com, so in case the users are accessing your website without typing the leading "www", the wildcard certificate won't cover that.
  • Self-Signed certificates: Client browsers don't trust these certificates and will warn the user that the virtual service’s certificate isn't part of a trust chain. Self-signed certificates are good for testing or environments where administrators control the clients and can safely bypass the browser’s security alerts. Production workloads should never use self-signed certificates.

Comments

Post a Comment

Popular posts from this blog

Script

# Change time to IST Set-TimeZone -Name “India Standard Time”  # Enable firewall to ping server each other :-   New-NetFirewallRule -DisplayName "Allow ICMPv4-In" -Protocol ICMPv4   # PowerShell command to install ISS # install IIS server role   Install-WindowsFeature -name Web-Server -IncludeManagementTools   # remove default htm file   remove-item   C:\inetpub\wwwroot\iisstart.htm   # Add a new htm file that displays server name   Add-Content -Path "C:\inetpub\wwwroot\iisstart.htm" -Value $("Hello World from " + $env:computername)     # Powershell command to install google chrome   $LocalTempDir = $env:TEMP; $ChromeInstaller = "ChromeInstaller.exe"; (new-object     System.Net.WebClient).DownloadFile('http://dl.google.com/chrome/install/375.126/chrome_installer.exe', "$LocalTempDir\$ChromeInstaller"); & "$LocalTempDir\$ChromeInstaller" /silent /install; $Process2Monitor = ...
Read more

Landing Zone

What is Azure landing zone   An Azure Landing Zone is a set of best practices and guidelines provided by Microsoft to help organizations establish a well-structured and standardized foundation for deploying workloads and applications in the Microsoft Azure cloud environment. It is essentially a framework that assists organizations in setting up their Azure environment with a focus on key areas such as security, governance, compliance, and operational efficiency. Here are the main aspects and objectives of an Azure Landing Zone: 1. ** Security **: Implementing robust security measures to protect data and resources in Azure, including network security, identity and access management, and compliance with security standards. 2. ** Governance **: Defining and enforcing policies and standards for resource provisioning, naming conventions, and compliance requirements. This ensures that Azure resources are created and managed consistently across the organization. 3. ** Networking **: ...
Read more

Migration

  Prepare a machine for the replication appliance The Migration and modernization tool uses a replication appliance to replicate machines to Azure. The replication appliance runs the following components. Configuration server : The configuration server coordinates communications between on-premises and Azure, and manages data replication. Process server : The process server acts as a replication gateway. It receives replication data; optimizes it with caching, compression, and encryption, and sends it to a cache storage account in Azure. Run a test migration When delta replication begins, you can run a test migration for the VMs, before running a full migration to Azure. We highly recommend that you do this at least once for each machine, before you migrate it. Running a test migration checks that migration will work as expected, without impacting the on-premises machines, which remain operational, and continue replicating. Test migration simulates the migration by creating an Azur...
Read more