How to implement end-to-end encryption for the shipping portal application

You want to implement end-to-end encryption for the shipping portal application. Encrypting all data between users and servers will help ensure that no unauthorized user can intercept and read the data.

In this unit, you’ll set up the web application and the application gateway. Next, you’ll create some self-signed SSL certificates and enable encryption in your backend pool to help secure the traffic from the application gateway to your servers.

Last updated: Feb 12, 2023

The following image highlights the elements you’ll configure in this exercise. You’ll be setting up an application gateway by using Azure Application Gateway v2.

Deploy a virtual machine and an application gateway

  1. Open the Azure Cloud Shell in your browser, and log in to the directory with access to the subscription you want to create resources in.
  2. Run the following command in the Cloud Shell to create a variable to store your resource group name, and a resource group for your resources. Replace <resource group name> with a name for your resource group, and <location> with the Azure region you’d like to deploy your resources in.
    export rgName=<resource group name>
    
    az group create --name $rgName --location <location>
    
  3. In Azure Cloud Shell, run the following command to download the source code for the shipping portal.
    git clone https://github.com/MicrosoftDocs/mslearn-end-to-end-encryption-with-app-gateway shippingportal
    
  4. Move to the shippingportal folder.
    cd shippingportal
    
  5. Run the following setup script to create the virtual machine, certificates, and application gateway.
    bash setup-infra.sh
    

     

     

    Note: This script takes several minutes to finish. Allow it to work through multiple processes to unpack and configure the gateway and resources. You should see that the process succeeded with zero warnings and zero errors.

Verify that the web server is configured correctly

  1. Run the following command to display the URL of the web server that the setup script created.
    echo https://"$(az vm show \
      --name webservervm1 \
      --resource-group $rgName \
      --show-details \
      --query [publicIps] \
      --output tsv)"
    
  2. Copy and paste the URL into your web browser, and go to the URL.Your browser will most likely display a warning message similar to the following image. The exact content in the warning message can vary, depending on your browser. The example image is from Microsoft Edge.warning

 

This warning occurs because the web server is configured through a self-signed certificate that can’t be authenticated. On this warning page, look for and select the link to proceed to the website; for example select Go on to the webpage or select Advanced and then Proceed, or the equivalent. The result will take you to the home page for the shipping portal, as shown below. This is a sample app to test that the server is configured correctly.shippingportal

 

Configure the backend pool for encryption

  1. Run the following command to get the private IP address of the virtual machine that’s acting as the web server.
    privateip="$(az vm list-ip-addresses \
      --resource-group $rgName \
      --name webservervm1 \
      --query "[0].virtualMachine.network.privateIpAddresses[0]" \
      --output tsv)"
    
  2. Set up the backend pool for Application Gateway by using the private IP address of the virtual machine.
    az network application-gateway address-pool create \
      --resource-group $rgName \
      --gateway-name gw-shipping \
      --name ap-backend \
      --servers $privateip
    
  3. Upload the certificate for the VM in the backend pool to Application Gateway, as a trusted root certificate. This certificate was generated by the setup script and is stored in the shipping-ssl.crt file.
    az network application-gateway root-cert create \
      --resource-group $rgName \
      --gateway-name gw-shipping \
      --name shipping-root-cert \
      --cert-file server-config/shipping-ssl.crt
    
  4. Configure the HTTP settings to use the certificate.
    az network application-gateway http-settings create \
      --resource-group $rgName \
      --gateway-name gw-shipping \
      --name https-settings \
      --port 443 \
      --protocol Https \
      --host-name $privateip
    
  5. Run the following commands to set the trusted certificate for the backend pool to the certificate installed on the backend VM.
    export rgID="$(az group show --name $rgName --query id --output tsv)"
    
    az network application-gateway http-settings update \
        --resource-group $rgName \
        --gateway-name gw-shipping \
        --name https-settings \
        --set trustedRootCertificates='[{"id": "'$rgID'/providers/Microsoft.Network/applicationGateways/gw-shipping/trustedRootCertificates/shipping-root-cert"}]'
    

You now have a virtual machine running the shipping portal site, and an application gateway. You’ve configured SSL encryption between Application Gateway and your web application server.