Enable ingress-to-app TLS for an application

This article applies to: ✔️ Standard tier ✔️ Enterprise tier

Note

This feature is not available in Basic tier.

This article describes secure communications in Azure Spring Cloud. The article also explains how to enable ingress-to-app SSL/TLS to secure traffic from an ingress controller to applications that support HTTPS.

The following picture shows the overall secure communication support in Azure Spring Cloud.

Screenshot of secured T L S flow in Azure Spring Cloud.

Secure communication model within Azure Spring Cloud

This section explains the secure communication model shown in the overview diagram above.

  1. The client request from the client to the application in Azure Spring Cloud comes into the ingress controller. The request can be either HTTP or HTTPS. The TLS certificate returned by the ingress controller is issued by the Microsoft Azure TLS issuing CA.

    If the app has been mapped to an existing custom domain and is configured as HTTPS only, the request to the ingress controller can only be HTTPS. The TLS certificate returned by the ingress controller is the SSL binding certificate for that custom domain. The server side SSL/TLS verification for the custom domain is done in the ingress controller.

  2. The secure communication between the ingress controller and the applications in Azure Spring Cloud are controlled by the ingress-to-app TLS. You can also control the communication through the portal or CLI, which will be explained later in this article. If ingress-to-app TLS is disabled, the communication between the ingress controller and the apps in Azure Spring Cloud is HTTP. If ingress-to-app TLS is enabled, the communication will be HTTPS and has no relation to the communication between the clients and the ingress controller. The ingress controller won't verify the certificate returned from the apps because the ingress-to-app TLS encrypts the communication.

  3. Communication between the apps and the Azure Spring Cloud services is always HTTPS and handled by Azure Spring Cloud. Such services include config server, service registry, and Eureka server.

  4. You manage the communication between the applications. You can also take advantage of Azure Spring Cloud features to load certificates into the application's trust store. For more information, see Use TLS/SSL certificates in an application.

  5. You manage the communication between applications and external services. To reduce your development effort, Azure Spring Cloud helps you manage your public certificates and loads them into your application's trust store. For more information, see Use TLS/SSL certificates in an application.

Enable ingress-to-app TLS for an application

The following section shows you how to enable ingress-to-app SSL/TLS to secure traffic from an ingress controller to applications that support HTTPS.

Prerequisites

Enable ingress-to-app TLS on an existing app

Use the command az spring-cloud app update --enable-ingress-to-app-tls to enable or disable ingress-to-app TLS for an app.

az spring-cloud app update --enable-ingress-to-app-tls -n app_name -s service_name -g resource_group_name
az spring-cloud app update --enable-ingress-to-app-tls false -n app_name -s service_name -g resource_group_name

Enable ingress-to-app TLS when you bind a custom domain

Use the command az spring-cloud app custom-domain update --enable-ingress-to-app-tls or az spring-cloud app custom-domain bind --enable-ingress-to-app-tls to enable or disable ingress-to-app TLS for an app.

az spring-cloud app custom-domain update --enable-ingress-to-app-tls -n app_name -s service_name -g resource_group_name
az spring-cloud app custom-domain bind --enable-ingress-to-app-tls -n app_name -s service_name -g resource_group_name

Enable ingress-to-app TLS using the Azure portal

To enable ingress-to-app TLS in the Azure portal, first create an app, and then enable the feature.

  1. Create an app in the portal as you normally would. Navigate to it in the portal.
  2. Scroll down to the Settings group in the left navigation pane.
  3. Select Ingress-to-app TLS.
  4. Switch Ingress-to-app TLS to Yes.

Screenshot showing where to enable Ingress-to-app TLS in portal.

Verify ingress-to-app TLS status

Use the command az spring-cloud app show to check the value of enableEndToEndTls.

az spring-cloud app show -n app_name -s service_name -g resource_group_name

Next steps