SSL/TLS for Azure Virtual Machine Scale Sets


This workload allows for the automatic creation, installation and renewal of a SSL/TLS certificate for Azure Virtual Machine Scale Sets using :

Create the SSL/TLS Certificate

  • Create the SSL/TLS certificate in the RCL SSL Portal by using either the :
  • The SAN option allow for two domains (wild card + naked domain, eg: *, on the certificate, whereas, the other option only allows one domain on the certificate.

Certificate Automatically Imported to Key Vault

  • After creation, the certificate is automatically imported to Azure Key Vault
  • Check for the certificate name and version in Azure Key Vault

Add an Application Gateway to the VMSS

Azure Application Gateway SSL/TLS with Azure Key Vault

Application Gateway supports TLS termination at the gateway, after which traffic typically flows unencrypted to the backend servers or virtual machines. Follow the instruction in this link to add the SSL/TLS certificate for Azure Key Vault

Automatically Renewing a SSL/TLS Certificate

SSL/TLS Certificates will expire within 90 days. Follow these instructions to automatically renew the certificate.

  • Use the RCL SSL AutoRenew Function to automatically renew certificates
  • The certificates will be automatically renewed , imported to Key Vault and the TLS termination with Application gateway will be updated without any user interaction being required

End-To-End SSL/TLS Encryption

If you require the connection from APplication Gateway to the individual VMs to use SSL/TLS on port 443, you will need to install SSL/TLS certificates in the VM.

Installing SSL/TLS in each VM

You can follow the instructions in this link to install SSL/TLS certificates in each VM

Creating a Custom VM Image with RCL SSL

You can also create a custom VM image to use for your VM Scale Set, then, include one of RCL SSL Apps to automatically install and renew the certificate in the VM. You can install the following RCL apps in the custom VM image :