How to Encrypt Data in Transit with Azure Application Gateway

November 30, 20236 min read

Encrypting data in transit is essential for protecting sensitive information as it moves between the client and the server. Azure Application Gateway provides a secure way to manage traffic to your web applications by offering SSL/TLS termination, which means that the Application Gateway decrypts and inspects the traffic before passing it along to your servers.

Below is a detailed step-by-step guide on how to set up data encryption in transit using Azure Application Gateway.


  • An Azure subscription: If you do not own an Azure subscription, create a free account before you begin.
  • A Virtual Network (VNet): The Application Gateway must be within a VNet where your application server VMs or services are running.
  • Application servers: Backend servers where the protected application is running, such as VMs, web apps, or Azure Kubernetes Service (AKS).

Step 1: Create a New Application Gateway

  • Navigate to the Azure Portal (https://portal.azure.com).
  • Click on “Create a resource” and search for “Application Gateway” in the marketplace.
  • Select “Application Gateway” and click “Create”.
  • Follow the creation wizard:
    • Basics:
      • Subscription: Select the Azure subscription you want to use.
      • Resource group: Create or select an existing resource group for your Application Gateway.
      • Name: Choose a name for your Application Gateway.
      • Region: Select a region that is close to your users and backend services.
    • Tier: Choose the tier that matches your required feature set (Standard or WAF).
    • Size: Select the size of the Application Gateway based on your estimated workload.
    • Frontend IP: Choose public for external access or private if you’re serving internal traffic.
    • Continue to configure settings as per your requirements.
  • Complete the wizard and click “Review + create” to deploy your Application Gateway.

Step 2: Configure SSL/TLS Settings

  • Once the Application Gateway is deployed, navigate to its resource page in the Azure Portal.
  • Under the “Settings” section, select “SSL settings”.
  • Click on “Predefined policies” or “Custom policies” according to your needs. Predefined policies offer pre-configured SSL policy settings, while custom policies allow for granular control.
  • Choose the minimum TLS version (e.g., TLS 1.2) for your Application Gateway to ensure strong security.

Step 3: Upload an SSL Certificate

  • In the SSL settings, click on “Listeners”.
  • Choose “Multi-site” or “Basic” listener depending on whether you plan to host multiple domains or a single domain.
  • Click on “Add a listener” and provide a name.
  • Set the “Frontend IP” to the IP configuration you’ve chosen during the creation of the Application Gateway.
  • Under “Protocol”, select “HTTPS”.
  • For “Certificate”, choose “Upload a certificate”.
  • Upload your SSL certificate (in .pfx format) and provide the password for the certificate if applicable. Azure Key Vault can also be used to store and reference certificates.
  • Save the listener configuration.

Step 4: Bind SSL Certificate to the Listener

  • After uploading, ensure that the correct SSL certificate is bound to the new listener:
    • Navigate to the listener you have just created.
    • Under the “Certificate” section, ensure that your certificate is selected.
  • Save the changes to your listener configuration.

Step 5: Create Backend Pools and HTTP Settings

  • Backend Pools:
    • Navigate to “Backend pools” in the “Settings” section.
    • Create a new backend pool and add your backend servers (VMs, web apps, etc.) to the pool.
  • HTTP Settings:
    • Click on “HTTP settings” in the “Settings” section.
    • Create a new HTTP setting or select an existing one.
    • Ensure that “Protocol” is set to “HTTPS” if you want end-to-end encryption.
    • Link your HTTP setting to the SSL certificate for end-to-end SSL encryption.

Step 6: Configure Routing Rules

  • Go to “Rules” under “Settings”.
  • Create a “Basic” or “Path-based” rule depending on your URL path-related needs.
  • Select the listener you’ve configured earlier.
  • Choose the backend pool that you’ve set up and the related HTTP settings.
  • Save the routing configuration.

Step 7: Validate and Test

  • After setting up all configurations, it’s time to test:
    • Browse to your Application Gateway’s frontend IP or DNS name using “https://”.
    • Ensure that there is a secure connection indication (typically a padlock icon) next to the URL in the browser.
  • Validate the setup by using tools such as SSL Labs (ssllabs.com/ssltest/) to test the strength of your SSL configuration.

Final Thoughts

The encryption of data in transit using Azure Application Gateway ensures that your data is secure from eavesdroppers. By following these steps, you not only enable SSL termination but also have the option to implement end-to-end encryption by re-encrypting the data before sending it to the backend servers. Keep in mind to regularly update and manage your SSL/TLS certificates, monitor your security configurations, and adjust your settings as needed to maintain robust security.