Merge pull request #293325 from craigshoemaker/aca/mtls

denrea · web-flow · commit 6658c4c4e825 · 2025-01-24T10:04:48.000-08:00
[Container Apps] Add: mTLS article
diff --git a/articles/container-apps/TOC.yml b/articles/container-apps/TOC.yml
@@ -327,6 +327,8 @@
           href: firewall-integration.md
         - name: Use a private endpoint
           href: how-to-use-private-endpoint.md
+        - name: Use mTLS
+          href: mtls.md
         - name: Integrate with Azure Front Door
           href: how-to-integrate-with-azure-front-door.md
 - name: Languages and runtimes
diff --git a/articles/container-apps/mtls.md b/articles/container-apps/mtls.md
@@ -0,0 +1,57 @@
+---
+title: Use mTLS in Azure Container Apps
+description: Learn to use mTLS in Azure Container Apps.
+services: container-apps
+author: craigshoemaker
+ms.service: azure-container-apps
+ms.topic: how-to
+ms.date: 01/22/2025
+ms.author: cshoe
+---
+
+# Use mTLS in Azure Container Apps
+
+Mutual Transport Layer Security (mTLS) is an extension of the standard TLS protocol that provides mutual authentication between client and server. Azure Container Apps supports running mTLS-enabled applications to provide increased security in your applications.
+
+In Azure Container Apps, all incoming requests pass through Envoy before being routed to the target container app. When you use mTLS, the client exchanges certificates with Envoy. Each of these certificates is placed into the [X-Forwarded-Client-Cert](ingress-overview.md#http-headers) header, which is then sent to the application.
+
+To build an mTLS application in Azure Container Apps, you need to:
+
+1. Configure Azure Container Apps to require client certificates from peers.
+2. Extract `X.509` Certificates from requests.
+
+This article describes how to handle peer mTLS handshake certificates by extracting the `X.509` certificate from the client.
+
+## Require client certificates
+
+Use the following steps to configure your container app to require client certificates:
+
+1. Open your container app in the Azure portal.
+1. Under *Settings*, select **Ingress**.
+1. Select the **Enabled** option.
+1. For *ingress type*, select **HTTP**.
+1. Under *Client certificate mode*, select **Require**.
+1. Select **Save** to apply the changes.
+
+For more information about configuring client certificate authentication in Azure Container Apps, see [Configure client certificate authentication in Azure Container Apps](client-certificate-authorization.md).
+
+## Extract X.509 certificates
+
+To extract `X.509` certificates from the `X-Forwarded-Client-Cert` header, parse the header value in your application code. This header contains the client certificate information when mTLS is enabled. The certificates are provided in a semicolon-separated list format, which includes the hash, certificate, and chain.
+
+Here's the procedure you want to follow to extract and parse the certificate in your application:
+
+1. Retrieve the `X-Forwarded-Client-Cert` header from the incoming request.
+1. Parse the header value to extract the certificate details.
+1. Put the parsed certificates to the standard certificate attribute for further validation or usage.
+
+Once parsed, you can validate certificates and use them according to the needs of your application.
+
+## Example
+
+In Java applications, you can use the [Reactive X.509 authentication filter](https://docs.spring.io/spring-security/reference/reactive/authentication/x509.html) to map the user information from certificates to the security context. For a complete example of a Java application with mTLS in Azure Container Apps, see [mTLS Server Application on Azure Container Apps](https://github.com/Azure-Samples/azure-container-apps-java-samples/tree/main/azure-container-apps-mtls-certificate-filter).
+
+## Related content
+
+- [Configure client certificate authentication in Azure Container Apps](client-certificate-authorization.md)
+- [Custom domain names and bring your own certificates in Azure Container Apps](custom-domains-certificates.md)
diff --git a/articles/container-apps/samples.md b/articles/container-apps/samples.md
@@ -5,7 +5,7 @@ services: container-apps
 author: craigshoemaker
 ms.service: azure-container-apps
 ms.topic: conceptual
-ms.date: 05/31/2024
+ms.date: 01/21/2025
 ms.author: cshoe
 ---
 
@@ -26,3 +26,4 @@ Refer to the following samples to learn how to use Azure Container Apps in diffe
 | [Launch your first Java microservice app on Azure Container Apps](https://github.com/Azure-Samples/azure-container-apps-java-samples/tree/main/spring-petclinic-microservices) |A microservices-based version of PetClinic with Spring, built with Spring Framework, showcasing configuration management, service discovery, and health/metrics monitoring on Azure Container Apps.|
 | [Launch Your first Java Spring Batch app on Azure Container Apps](https://github.com/Azure-Samples/azure-container-apps-java-samples/tree/main/spring-batch-football) |A Java Spring Batch application showcasing an ephemeral statistics loading job, adapted from the Spring Batch Football Job sample, and deployable to Azure Container Apps. |
 | [Launch Your first Java AI application on Azure Container Apps](https://github.com/Azure-Samples/spring-petclinic-ai) |A Java AI application built with the Spring-AI Framework, demonstrating how to integrate with Azure OpenAI capabilities to enhance PetClinic application with an intelligent Chatbot, and deploy it to Azure Container Apps. |
+| [mTLS Server Application on Azure Container Apps](https://github.com/Azure-Samples/azure-container-apps-java-samples/tree/main/azure-container-apps-mtls-certificate-filter) | A Java sample using different Java APIs to demonstrate how to extract X.509 certificates from incoming requests, including Servlet Jakarta API, Servlet Javax API, and Reactive API. Additionally, to provide a complete user experience of verifying the certificates in Azure Container Apps other than Spring Security, the samples also demonstrate loading a custom trust store to validate the certificates. |
