Merge pull request #245066 from cachai2/mtls

prmerger-automator[bot] · web-flow · commit d0265ee60ea5 · 2023-07-25T22:05:35.000Z
init mtls
diff --git a/articles/container-apps/azure-resource-manager-api-spec.md b/articles/container-apps/azure-resource-manager-api-spec.md
@@ -39,6 +39,7 @@ A resource's `properties` object has the following properties:
 |---|---|---|---|
 | `daprAIInstrumentationKey` | The Application Insights instrumentation key used by Dapr. | string | No |
 | `appLogsConfiguration` | The environment's logging configuration. | Object | No |
+| `peerAuthentication` | How to enable mTLS encryption. | Object | No |
 
 ### <a name="container-apps-environment-examples"></a>Examples
 
diff --git a/articles/container-apps/ingress-overview.md b/articles/container-apps/ingress-overview.md
@@ -96,8 +96,9 @@ Container Apps supports IP restrictions for ingress. You can create rules to eit
 
 Azure Container Apps provides built-in authentication and authorization features to secure your external ingress-enabled container app.  For more information, see [Authentication and authorization in Azure Container Apps](authentication.md).
 
-You can configure your app to support client certificates (mTLS) for authentication and traffic encryption. For more information, see [Configure client certificates](client-certificate-authorization.md)
+You can configure your app to support client certificates (mTLS) for authentication and traffic encryption. For more information, see [Configure client certificates](client-certificate-authorization.md). 
 
+For details on how to use mTLS for environment level network encryption, see the [networking overview](./networking.md#mtls). 
 
 ## Traffic splitting
 
diff --git a/articles/container-apps/network-proxy.md b/articles/container-apps/network-proxy.md
@@ -33,10 +33,9 @@ Requests that come in to ports `80` and `443` are internally routed to the appro
 ## Security
 
 - HTTP requests are automatically redirected to HTTPs
-- Envoy terminates TLS after crossing its boundary
-    - Envoy sends requests to apps over HTTP in plain text
-- mTLS is only available when using Dapr
-    - When you use Dapr service invocation APIs, mTLS is enabled. However, because Envoy terminates mTLS, inbound calls from Envoy to Dapr-enabled container apps isn't encrypted.
+    - You can disable this by setting `allowInsecure` to `true` in the ingress configuration
+- TLS terminates at the ingress
+    - You can enable [Environment level network encryption](networking.md#mtls) for full end-to-end encryption for requests between the ingress and an app and between different apps
 
 HTTPs, GRPC, and HTTP/2 all follow the same architectural model.
 
diff --git a/articles/container-apps/networking.md b/articles/container-apps/networking.md
@@ -204,6 +204,54 @@ With the workload profiles environment (preview), you can fully secure your ingr
 - Integrate your Container Apps with an Application Gateway. For steps, see [here](./waf-app-gateway.md).
 - Configure UDR to route all traffic through Azure Firewall. For steps, see [here](./user-defined-routes.md).
 
+## <a name="mtls"></a> Environment level network encryption - preview
+
+Azure Container Apps supports environment level network encryption using mutual transport layer security (mTLS). When end-to-end encryption is required, mTLS will encrypt data transmitted between applications within an environment. Applications within a Container Apps environment are automatically authenticated. However, Container Apps currently does not support authorization for access control between applications using the built-in mTLS.
+
+When your apps are communicating with a client outside of the environment, two-way authentication with mTLS is supported, to learn more see [configure client certificates](client-certificate-authorization.md).
+
+> [!NOTE]
+> Enabling mTLS for your applications may increase response latency and reduce maximum throughput in high-load scenarios.
+
+# [Azure CLI](#tab/azure-cli)
+
+You can enable mTLS using the following commands.
+
+On create:
+```azurecli
+az containerapp env create \
+    --name <environment-name> \
+    --resource-group <resource-group> \
+    --location <location> \
+    --enable-mtls
+```
+
+For an existing container app:
+```azurecli
+az containerapp env update \
+    --name <environment-name> \
+    --resource-group <resource-group> \
+    --enable-mtls
+```
+
+# [ARM template](#tab/arm-template)
+
+You can enable mTLS in the ARM template for Container Apps environments using the following configuration.
+
+```json
+{
+  ...
+  "properties": {
+       "peerAuthentication":{
+            "mtls": {
+                "enabled": "true|false"
+            }
+        }
+  ...
+}
+```
+---
+
 ## DNS
 
 -	**Custom DNS**: If your VNet uses a custom DNS server instead of the default Azure-provided DNS server, configure your DNS server to forward unresolved DNS queries to `168.63.129.16`. [Azure recursive resolvers](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server) uses this IP address to resolve requests. When configuring your NSG or Firewall, don't block the `168.63.129.16` address, otherwise, your Container Apps environment won't function.
