![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/Azure-Application-Gateway-Protected-Aviatrix-Controller-1.png\")
<\/figure>\n\n\n\nBefore continue on, you need to make sure:<\/p>\n\n\n\n
- Already own your domain name, such as mydomain.com<\/li>
- Already requested SSL certificate for aviatrix controller, such as avx.domain.com, refer to my previous blog post<\/a><\/li>
- Assigned full-chain cert to the aviatrix controller as Server Public Certificate section, refer to this post<\/a> , and this post<\/a> (note, Application gateway doesn’t support self-signed certificate as backend)<\/li>
- In your domain DNS, avx.domain.com is set to point to the Aviatrix controller’s public IP, eg: 20.20.20.10 as shown above<\/li>
- Tested that https:\/\/avx.mydomain.com works as desired<\/li><\/ol>\n\n\n\n
Let’s get started:<\/p>\n\n\n\n
- Application gateway require it’s own subnet, this article<\/a> recommended \/24 subnet, create such subnet in the same vNet where Aviatrix Controller and CoPilot resides.<\/li>
- Fill in basic information to create application gateway<\/li><\/ol>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-11-895x1024.png\")
<\/figure>\n\n\n\n3. Add or use existing public IP for frontends<\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-12-1024x373.png\")
<\/figure>\n\n\n\n4. Add the Aviatrix Controller as backend pool<\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-13-1024x524.png\")
<\/figure>\n\n\n\n5. Add routing rules<\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-14-1024x343.png\")
<\/figure>\n\n\n\n6. Application gateway requires PFX certificate file for the SSL listener , in my previous post of obtaining SSL for Aviatrix controller, I’m using ZeroSSL to obtain SSL certificate. this article<\/a> show how to create a PFX certificate from the three files issued by ZeroSSL:<\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-15.png\")
<\/figure>\n\n\n\nOn MacOS or Linux:<\/p>\n\n\n\n
cat certificate.crt ca_bundle.crt > full_chain.crt\nopenssl pkcs12 -export -out certificate.p12 -inkey private.key -in full_chain.crt<\/code><\/pre>\n\n\n\nOn Windows:<\/pre>\n\n\n\n
copy \/b certificate.crt + ca_bundle.crt full_chain.crt\nopenssl pkcs12 -export -out certificate.p12 -inkey private.key -in full_chain.crt<\/code><\/pre>\n\n\n\nNote<\/strong>: There is a PowerShell module Posh-ACME<\/a> help you to create all these certificates from an ACME capable certificate authority such as Let’s Encrypt<\/a>.<\/p>\n\n\n\n
Once obtained the PFX certificate, provide it and password through the listener workflow:<\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-16-1024x838.png\")
<\/figure>\n\n\n\nIn the Backend targets tab, pick backend pool from drop down, then Add new<\/strong> for Backend settings<\/strong><\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-17-1024x858.png\")
<\/figure>\n\n\n\nIn Add Backend setting section, pick HTTPS as backend protocol (assuming your Aviatrix Controller already listen on HTTPS and already using Full-Chain certificate as server public cert.<\/p>\n\n\n\n
One thing to note, if you obtained a certificate from a well known CA (Certificate Authority), then you can pick Yes in Use well known CA certificate, <\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-18-1024x912.png\")
<\/figure>\n\n\n\nIf you are not using a well known CA issued certificate such as your Enterprise CA, you will need to provide Base-64 encoded X.509 (.CER)<\/a> of the root CA cert. The following example shows extracting the root CA cert using a Windows client with Chrome browser:<\/p>\n\n\n\n
Visit your SSL enabled Aviatrix controller, then click on the pad lock<\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-19.png\")
<\/figure>\n\n\n\nClick and expand Connection is secure<\/strong><\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-23.png\")
<\/figure>\n\n\n\nClick on Certificate is valid<\/strong><\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-24.png\")
<\/figure>\n\n\n\nThis opens up the server certificate<\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-26.png\")
<\/figure>\n\n\n\nClick on Certificate Path<\/strong> tab, certificate is ordered as:<\/p>\n\n\n\n
- Root Certificate Authority
- Intermediate Certificate Authority
- Server Certificate<\/li><\/ul><\/li><\/ul><\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-27.png\")
<\/figure>\n\n\n\nSince we need the root CA, we need to double click on Sectigo in this example<\/p>\n\n\n\n
Notice in General <\/strong>tab, issued to and issued by are the same. Root CA is a self signed certificate. Then click on Details <\/strong>tab<\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-28.png\")
<\/figure>\n\n\n\nClick on Copy to File…<\/strong><\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-29.png\")
<\/figure>\n\n\n\nClick on Next, then choose Base-64 encoded X.509<\/a><\/strong>. <\/p>\n\n\n\n
This article<\/em><\/a> is an interesting read about the difference of certificate formats.<\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-30.png\")
<\/figure>\n\n\n\nSave the file as root.cer<\/strong>, goes back to Add Backend setting<\/strong> for Application Gateway, choose No<\/strong> for Use well known CA certificate<\/strong>, and upload root.cer<\/strong><\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-31-1024x971.png\")
<\/figure>\n\n\n\nThis brings back to Add a routing rule workflow<\/strong>, and the Backend settings<\/strong> is now complete, click on Add <\/strong>on bottom of the page<\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-33.png\")
<\/figure>\n\n\n\nClick on Next: Tags -> Next: Review + Create -> Create<\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-34-1024x574.png\")
<\/figure>\n\n\n\nIf everything goes well, check Application Gateway -> Backend Health, you should see Status healthy<\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-35-1024x351.png\")
<\/figure>\n\n\n\nYou may change your Windows Client c:\\windows\\system32\\drivers\\etc\\hosts file to have avx.mydomain.com map to Application Gateway’s public IP. Then reopen browser window try to access https:\/\/avx.mydomain.com<\/p>\n\n\n\n
If this is successful:<\/p>\n\n\n\n
- Update your DNS hosting record, so avx.mydomain.com will map to Application Gateway’s public IP, instead of Aviatrix Controller’s public IP<\/li>
- Enable WAF in detection mode, and gradually enable rules that won’t break Aviatrix Controller’s function<\/li>
- Further lock down aviatrix controller’s network security group by removing your egress public IPs.<\/li><\/ol>\n\n\n\n
Common error, when Aviatrix controller server certificate doesn’t contain full-chain (need both Intermediate CA and Server Certificate)<\/p>\n\n\n\n
The root certificate of the server certificate used by the backend does not match the trusted root certificate added to the application gateway. Ensure that you add the correct root certificate to whitelist the backend\n<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-36-1024x399.png\")
<\/figure>\n\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
Aviatrix controller is already hardened. You may further lock it down with Settings -> Controller -> Access Security -> Controller Security Group Management. The controller would be protected by Security Group allowing access only from Aviatrix Gateways. Customer can add … Continue reading
- Server Certificate<\/li><\/ul><\/li><\/ul><\/li><\/ul>\n\n\n\n
- Intermediate Certificate Authority
- Fill in basic information to create application gateway<\/li><\/ol>\n\n\n\n
- Assigned full-chain cert to the aviatrix controller as Server Public Certificate section, refer to this post<\/a> , and this post<\/a> (note, Application gateway doesn’t support self-signed certificate as backend)<\/li>