Author : MD TAREQ HASSAN | Updated : 2022/02/06

About TLS Inspection Feature

Setup

Root CA certificate and Intermediate CA certificate:

Key Vault:

Managed Identity:

Firewall Policy Setting:

Or alternatively let Firewall to create those for you

Azure Firewall Premium - Enabling TLS inspection with new managed identity, key vault and certificate

Generate Self-signed Certificates Using Openssl

Install chocolatey and then install Openssl using chocolatey:

choco install openssl

Create a folder “workdir” and create following files in that folder:

openssl.cnf

[ req ]
default_bits        = 4096
distinguished_name  = req_distinguished_name
string_mask         = utf8only
default_md          = sha512

[ req_distinguished_name ]
countryName                     = JP
stateOrProvinceName             = Tokyo
localityName                    = Japan
0.organizationName              = Hovermind
organizationalUnitName          = ITDept
commonName                      = HM
emailAddress                    = hassan@hovermind.com

[ rootCA_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ interCA_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:1
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ server_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature
extendedKeyUsage = serverAuth

self_signed_cert.ps1

# Create root CA
openssl req -x509 -new -nodes -newkey rsa:4096 -keyout rootCA.key -sha256 -days 3650 -out rootCA.crt -subj '/C=US/ST=US/O=Self Signed/CN=Self Signed Root CA' -config openssl.cnf -extensions rootCA_ext

# Create intermediate CA request
openssl req -new -nodes -newkey rsa:4096 -keyout interCA.key -sha256 -out interCA.csr -subj '/C=US/ST=US/O=Self Signed/CN=Self Signed Intermediate CA'

# Sign on the intermediate CA
openssl x509 -req -in interCA.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out interCA.crt -days 3650 -sha256 -extfile openssl.cnf -extensions interCA_ext

# Export the intermediate CA into PFX
openssl pkcs12 -export -out interCA.pfx -inkey interCA.key -in interCA.crt -password 'pass:'

Write-Host ""
Write-Host "================"
Write-Host "Successfully generated root and intermediate CA certificates"
Write-Host "   - rootCA.crt/rootCA.key - Root CA public certificate and private key"
Write-Host "   - interCA.crt/interCA.key - Intermediate CA public certificate and private key"
Write-Host "   - interCA.pfx - Intermediate CA pkcs12 package which could be uploaded to Key Vault"
Write-Host "================"

Open PowerShell core as Admin in workdir and execute script “./self_signed_cert

Azure Firewall TSL Termination - Generate Self-signed Certificates Using Openssl Step 1

Azure Firewall TSL Termination - Generate Self-signed Certificates Using Openssl Step 2

Azure Firewall TSL Termination - Generate Self-signed Certificates Using Openssl Step 3

Azure Firewall TSL Termination - Generate Self-signed Certificates Using Openssl Step 4

Upload Certificate to Key Vault

Azure Firewall TSL Termination - Upload Certificate to Key Vault Step 1

Azure Firewall TSL Termination - Upload Certificate to Key Vault Step 2

Azure Firewall TSL Termination - Upload Certificate to Key Vault Step 3

Azure Firewall TSL Termination - Upload Certificate to Key Vault Step 4

User Assigned Managed Identity for Key Vault Access

Azure Firewall TSL Termination - User Assigned Managed Identity for Key Vault Access Step 1

Azure Firewall TSL Termination - User Assigned Managed Identity for Key Vault Access Step 2

Azure Firewall TSL Termination - User Assigned Managed Identity for Key Vault Access Step 3

Azure Firewall TSL Termination - User Assigned Managed Identity for Key Vault Access Step 4

Azure Firewall TSL Termination - User Assigned Managed Identity for Key Vault Access Step 5

Azure Firewall TSL Termination - User Assigned Managed Identity for Key Vault Access Step 6

Firewall TLS Inspection Setting

Azure Firewall TSL Termination - Firewall TLS Inspection Setting Step 1

Azure Firewall TSL Termination - Firewall TLS Inspection Setting Step 2

Testing TLS Inspection Using Azure VM

Scenario

VM

Firewall

Now connect to VM using Firewall public IP. Open browser and visit github.com

Azure Firewall TSL Termination - Testing TLS Inspection Using Azure VM Step 1

Azure Firewall TSL Termination - Testing TLS Inspection Using Azure VM Step 2

Azure Firewall TSL Termination - Testing TLS Inspection Using Azure VM Step 3

Azure Firewall TSL Termination - Testing TLS Inspection Using Azure VM Step 4

Azure Firewall TSL Termination - Testing TLS Inspection Using Azure VM Step 5

Azure Firewall TSL Termination - Testing TLS Inspection Using Azure VM Step 6

Azure Firewall TSL Termination - Testing TLS Inspection Using Azure VM Step 7

Azure Firewall TSL Termination - Testing TLS Inspection Using Azure VM Step 8

Azure Firewall TSL Termination - Testing TLS Inspection Using Azure VM Step 9

Azure Firewall TSL Termination - Testing TLS Inspection Using Azure VM Step 10

Production Workload