Modern eCommerce Web Application encryption

Now that you’ve configured the certificates for eCommerce Web Application Gateway and the backend pool, you can create a listener to handle incoming requests. The listener will wait for messages, decrypt them by using the private key, and then route these messages to the backend pool.

In this unit, you’ll set up the listener with port 443 and with the SSL certificate that you created in the first exercise. The following image highlights the elements you’ll set up in this exercise.

Last updated: Feb 12, 2023

Diagram that highlights the elements (frontend port, SSL certificate for eCommerce Web Application Gateway, listener, and rule) created in this exercise.

Configure the listener

Run the following command to create a new frontend port (443) for the gateway.

az network application-gateway frontend-port create \
--resource-group $rgName \
--gateway-name gw-shipping \
--name https-port \
--port 443

Upload the SSL certificate for web Application Gateway. The setup script generated this certificate in the previous exercise. The certificate is stored in the appgateway.pfx file in the server-config folder.

The password generated for the .pfx file is somepassword. Don’t change it in the following command.

az network application-gateway ssl-cert create \
--resource-group $rgName \
--gateway-name gw-shipping \
--name appgateway-cert \
--cert-file server-config/appgateway.pfx \
--cert-password somepassword

Run the following command to create a new listener that accepts incoming traffic on port 443. The listener uses the certificate appgateway-cert to decrypt messages.

az network application-gateway http-listener create \
--resource-group $rgName \
--gateway-name gw-shipping \
--name https-listener \
--frontend-port https-port \
--ssl-cert appgateway-cert

Run the following command to create a rule that directs traffic received through the new listener to the backend pool. This command might take a minute or two to finish.


az network application-gateway rule create \
--resource-group $rgName \
--gateway-name gw-shipping \
--name https-rule \
--address-pool ap-backend \
--http-listener https-listener \
--http-settings https-settings \
--rule-type Basic

Test the application gateway

Retrieve the public URL of the application gateway.

echo https://$(az network public-ip show \
--resource-group $rgName \
--name appgwipaddr \
--query ipAddress \
--output tsv)

Go to the URL in a web browser.

As before, your browser might display a warning message that says the SSL connection is using an unauthenticated certificate. This is because the certificate is self-signed. You can ignore this warning and continue to the website.

Verify that the home page for the shipping portal appears.

You have now configured the listener to listen on port 443 and decrypt the data that’s ready to be passed to the backend pool. The data is re-encrypted when it’s transmitted from the gateway to a server in the backend pool. With this listener in place, you have set up end-to-end encryption for the shipping portal.