Key vault for Application gateway and App service

kaushal parab 26 Reputation points
2024-09-05T08:22:35.5033333+00:00

Hi,

I have certificate from Well known CA and its been use by Application Gateway and App service. The application is working fine. My query is about Key Vault.

  1. Shall we create 2 different key vault 1x for Application Gateway and 1x for App service to hold the same certificate? OR
  2. Use single Key Vault holding same certificate for Application Gateway and App service

What are the pros and cons on both the ways and Microsoft recommendation please? Thanks.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,258 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,052 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,676 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ben Gimblett 4,335 Reputation points Microsoft Employee
    2024-09-06T10:33:35.8666667+00:00

    Hi - Because it's a pain to renew SSL certificates if you keep copies in different places I would always suggest that you have one Key Vault (KV) for the cert (so one place to renew it) and then it's OK to point both the App GW and App Service at the same KV for the certificate dependency .
    I would still have a different KV for each environment to align with the fact you should have a different App GW and App Service for each environment.

    In other use cases; for example secrets / keys then try and keep to the general rule of "one key vault per app per environment" where the "app" is a business process. For example a site hosted in app service which requires some secrets in KV would benefit from it's own KV for extra isolation , very likely in the same resource group.

    In addition
    *do make use of key vault references in App service
    *do try and use managed identity and RBAC not the access keys for key vault access
    *use private endpoints for the key vault where appropriate (to further limit attack surface area)
    *make use of the fine grain control plane and data plane permissions available to ensure least privilege
    and segregation of control

    Hope that helps

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.