Configurare la terminazione SSL con Key Vault certificati utilizzando Azure PowerShellConfigure SSL termination with Key Vault certificates by using Azure PowerShell

Azure Key Vault è un archivio segreto gestito dalla piattaforma che è possibile usare per proteggere i segreti, le chiavi e i certificati SSL.Azure Key Vault is a platform-managed secret store that you can use to safeguard secrets, keys, and SSL certificates. Applicazione Azure gateway supporta l'integrazione con Key Vault (in anteprima pubblica) per i certificati del server collegati ai listener abilitati per HTTPS.Azure Application Gateway supports integration with Key Vault (in public preview) for server certificates that are attached to HTTPS-enabled listeners. Questo supporto è limitato allo SKU V2 del gateway applicazione.This support is limited to the v2 SKU of Application Gateway.

Per ulteriori informazioni, vedere terminazione SSL con Key Vault Certificates.For more information, see SSL termination with Key Vault certificates.

Questo articolo illustra come usare uno script di Azure PowerShell per integrare l'insieme di credenziali delle chiavi con il gateway applicazione per i certificati di terminazione SSL.This article shows you how to use an Azure PowerShell script to integrate your key vault with your application gateway for SSL termination certificates.

Questo articolo richiede Azure PowerShell modulo 1.0.0 o versione successiva.This article requires Azure PowerShell module version 1.0.0 or later. Per trovare la versione, eseguire Get-Module -ListAvailable Az.To find the version, run Get-Module -ListAvailable Az. Se è necessario eseguire l'aggiornamento, vedere Installare e configurare Azure PowerShell.If you need to upgrade, see Install Azure PowerShell module. Per eseguire i comandi in questo articolo, è anche necessario creare una connessione con Azure eseguendo Connect-AzAccount.To run the commands in this article, you also need to create a connection with Azure by running Connect-AzAccount.

Se non si ha una sottoscrizione di Azure, creare un account gratuito prima di iniziare.If you don't have an Azure subscription, create a free account before you begin.

PrerequisitesPrerequisites

Prima di iniziare, è necessario che sia installato il modulo ManagedServiceIdentity:Before you begin, you must have the ManagedServiceIdentity module installed:

Install-Module -Name Az.ManagedServiceIdentity
Connect-AzAccount
Select-AzSubscription -Subscription <your subscription>

Script di esempioExample script

Configurare le variabiliSet up variables

$rgname = "KeyVaultTest"
$location = "East US"
$kv = "TestKeyVaultAppGw"
$appgwName = "AppGwKVIntegration"

Creare un gruppo di risorse e un'identità gestita dall'utenteCreate a resource group and a user-managed identity

$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location
$identity = New-AzUserAssignedIdentity -Name "appgwKeyVaultIdentity" `
  -Location $location -ResourceGroupName $rgname

Creare un insieme di credenziali delle chiavi, un criterio e un certificato da usare con il gateway applicazioneCreate a key vault, policy, and certificate to be used by the application gateway

$keyVault = New-AzKeyVault -Name $kv -ResourceGroupName $rgname -Location $location -EnableSoftDelete 
Set-AzKeyVaultAccessPolicy -VaultName $kv -PermissionsToSecrets get -ObjectId $identity.PrincipalId

$policy = New-AzKeyVaultCertificatePolicy -ValidityInMonths 12 `
  -SubjectName "CN=www.contoso11.com" -IssuerName self `
  -RenewAtNumberOfDaysBeforeExpiry 30
Set-AzKeyVaultAccessPolicy -VaultName $kv -EmailAddress <your email address> -PermissionsToCertificates create,get,list
$certificate = Add-AzKeyVaultCertificate -VaultName $kv -Name "cert1" -CertificatePolicy $policy
$certificate = Get-AzKeyVaultCertificate -VaultName $kv -Name "cert1"
$secretId = $certificate.SecretId.Replace($certificate.Version, "")

Nota

Per il corretto funzionamento della terminazione SSL, è necessario usare il flag-EnableSoftDelete.The -EnableSoftDelete flag must be used for SSL termination to function properly.

Crea rete virtualeCreate a virtual network

$sub1 = New-AzVirtualNetworkSubnetConfig -Name "appgwSubnet" -AddressPrefix "10.0.0.0/24"
$sub2 = New-AzVirtualNetworkSubnetConfig -Name "backendSubnet" -AddressPrefix "10.0.1.0/24"
$vnet = New-AzvirtualNetwork -Name "Vnet1" -ResourceGroupName $rgname -Location $location `
  -AddressPrefix "10.0.0.0/16" -Subnet @($sub1, $sub2)

Creare un indirizzo IP virtuale pubblico (VIP) staticoCreate a static public virtual IP (VIP) address

$publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name "AppGwIP" `
  -location $location -AllocationMethod Static -Sku Standard

Creare porte del pool e front-endCreate pool and front-end ports

$gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name "appgwSubnet" -VirtualNetwork $vnet

$gipconfig = New-AzApplicationGatewayIPConfiguration -Name "AppGwIpConfig" -Subnet $gwSubnet
$fipconfig01 = New-AzApplicationGatewayFrontendIPConfig -Name "fipconfig" -PublicIPAddress $publicip
$pool = New-AzApplicationGatewayBackendAddressPool -Name "pool1" `
  -BackendIPAddresses testbackend1.westus.cloudapp.azure.com, testbackend2.westus.cloudapp.azure.com
$fp01 = New-AzApplicationGatewayFrontendPort -Name "port1" -Port 443
$fp02 = New-AzApplicationGatewayFrontendPort -Name "port2" -Port 80

Puntare il certificato SSL all'insieme di credenziali delle chiaviPoint the SSL certificate to your key vault

$sslCert01 = New-AzApplicationGatewaySslCertificate -Name "SSLCert1" -KeyVaultSecretId $secretId

Creare listener, regole e scalabilità automaticaCreate listeners, rules, and autoscale

$listener01 = New-AzApplicationGatewayHttpListener -Name "listener1" -Protocol Https `
  -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 -SslCertificate $sslCert01
$listener02 = New-AzApplicationGatewayHttpListener -Name "listener2" -Protocol Http `
  -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp02
$poolSetting01 = New-AzApplicationGatewayBackendHttpSetting -Name "setting1" -Port 80 `
  -Protocol Http -CookieBasedAffinity Disabled
$rule01 = New-AzApplicationGatewayRequestRoutingRule -Name "rule1" -RuleType basic `
  -BackendHttpSettings $poolSetting01 -HttpListener $listener01 -BackendAddressPool $pool
$rule02 = New-AzApplicationGatewayRequestRoutingRule -Name "rule2" -RuleType basic `
  -BackendHttpSettings $poolSetting01 -HttpListener $listener02 -BackendAddressPool $pool
$autoscaleConfig = New-AzApplicationGatewayAutoscaleConfiguration -MinCapacity 3
$sku = New-AzApplicationGatewaySku -Name Standard_v2 -Tier Standard_v2

Assegnare l'identità gestita dall'utente al gateway applicazioneAssign the user-managed identity to the application gateway

$appgwIdentity = New-AzApplicationGatewayIdentity -UserAssignedIdentityId $identity.Id

Creare il gateway applicazioneCreate the application gateway

$appgw = New-AzApplicationGateway -Name $appgwName -Identity $appgwIdentity -ResourceGroupName $rgname `
  -Location $location -BackendAddressPools $pool -BackendHttpSettingsCollection $poolSetting01 `
  -GatewayIpConfigurations $gipconfig -FrontendIpConfigurations $fipconfig01 `
  -FrontendPorts @($fp01, $fp02) -HttpListeners @($listener01, $listener02) `
  -RequestRoutingRules @($rule01, $rule02) -Sku $sku `
  -SslCertificates $sslCert01 -AutoscaleConfiguration $autoscaleConfig

Passaggi successiviNext steps

Altre informazioni sulla terminazione SSLLearn more about SSL termination