Application Gateway Mutual Authentication Support (#9965)

* Adding mutual auth api definitions.

* Adding examples.

* Fixing case.

Co-authored-by: Hemant Imudianda <[email protected]>

Author: HemantErappa

specification/network/resource-manager/Microsoft.Network/stable/2020-06-01/applicationGateway.json

@@ -1361,6 +1361,15 @@
       },
       "description": "Application Gateway Ssl policy."
     },
+    "ApplicationGatewayClientAuthConfiguration": {
+      "properties": {
+        "verifyClientCertIssuerDN": {
+          "type": "boolean",
+          "description": "Verify client certificate issuer name on the application gateway."
+        }
+      },
+      "description": "Application gateway client authentication configuration."
+    },
     "ApplicationGatewayIPConfigurationPropertiesFormat": {
       "properties": {
         "subnet": {
@@ -1494,6 +1503,49 @@
       ],
       "description": "Trusted Root certificates of an application gateway."
     },
+    "ApplicationGatewayTrustedClientCertificatePropertiesFormat": {
+      "properties": {
+        "data": {
+          "type": "string",
+          "description": "Certificate public data."
+        },
+        "provisioningState": {
+          "readOnly": true,
+          "$ref": "./network.json#/definitions/ProvisioningState",
+          "description": "The provisioning state of the trusted client certificate resource."
+        }
+      },
+      "description": "Trusted client certificates properties of an application gateway."
+    },
+    "ApplicationGatewayTrustedClientCertificate": {
+      "properties": {
+        "properties": {
+          "x-ms-client-flatten": true,
+          "$ref": "#/definitions/ApplicationGatewayTrustedClientCertificatePropertiesFormat",
+          "description": "Properties of the application gateway trusted client certificate."
+        },
+        "name": {
+          "type": "string",
+          "description": "Name of the trusted client certificate that is unique within an Application Gateway."
+        },
+        "etag": {
+          "readOnly": true,
+          "type": "string",
+          "description": "A unique read-only string that changes whenever the resource is updated."
+        },
+        "type": {
+          "readOnly": true,
+          "type": "string",
+          "description": "Type of the resource."
+        }
+      },
+      "allOf": [
+        {
+          "$ref": "./network.json#/definitions/SubResource"
+        }
+      ],
+      "description": "Trusted client certificates of an application gateway."
+    },
     "ApplicationGatewaySslCertificatePropertiesFormat": {
       "properties": {
         "data": {
@@ -1827,6 +1879,60 @@
       ],
       "description": "Backend address pool settings of an application gateway."
     },
+    "ApplicationGatewaySslProfilePropertiesFormat": {
+      "properties": {
+        "trustedClientCertificates": {
+          "type": "array",
+          "items": {
+            "$ref": "./network.json#/definitions/SubResource"
+          },
+          "description": "Array of references to application gateway trusted client certificates."
+        },
+        "sslPolicy": {
+          "$ref": "#/definitions/ApplicationGatewaySslPolicy",
+          "description": "SSL policy of the application gateway resource."
+        },
+        "clientAuthConfiguration": {
+          "$ref": "#/definitions/ApplicationGatewayClientAuthConfiguration",
+          "description": "Client authentication configuration of the application gateway resource."
+        },
+        "provisioningState": {
+          "readOnly": true,
+          "$ref": "./network.json#/definitions/ProvisioningState",
+          "description": "The provisioning state of the HTTP listener resource."
+        }
+      },
+      "description": "Properties of SSL profile of an application gateway."
+    },
+    "ApplicationGatewaySslProfile": {
+      "properties": {
+        "properties": {
+          "x-ms-client-flatten": true,
+          "$ref": "#/definitions/ApplicationGatewaySslProfilePropertiesFormat",
+          "description": "Properties of the application gateway SSL profile."
+        },
+        "name": {
+          "type": "string",
+          "description": "Name of the SSL profile that is unique within an Application Gateway."
+        },
+        "etag": {
+          "readOnly": true,
+          "type": "string",
+          "description": "A unique read-only string that changes whenever the resource is updated."
+        },
+        "type": {
+          "readOnly": true,
+          "type": "string",
+          "description": "Type of the resource."
+        }
+      },
+      "allOf": [
+        {
+          "$ref": "./network.json#/definitions/SubResource"
+        }
+      ],
+      "description": "SSL profile of an application gateway."
+    },
     "ApplicationGatewayHttpListenerPropertiesFormat": {
       "properties": {
         "frontendIPConfiguration": {
@@ -1849,6 +1955,10 @@
           "$ref": "./network.json#/definitions/SubResource",
           "description": "SSL certificate resource of an application gateway."
         },
+        "sslProfile": {
+          "$ref": "./network.json#/definitions/SubResource",
+          "description": "SSL profile resource of the application gateway."
+        },
         "requireServerNameIndication": {
           "type": "boolean",
           "description": "Applicable only if protocol is https. Enables SNI for multi-hosting."
@@ -2662,6 +2772,13 @@
           },
           "description": "Trusted Root certificates of the application gateway resource. For default limits, see [Application Gateway limits](https://docs.microsoft.com/azure/azure-subscription-service-limits#application-gateway-limits)."
         },
+        "trustedClientCertificates": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/ApplicationGatewayTrustedClientCertificate"
+          },
+          "description": "Trusted client certificates of the application gateway resource. For default limits, see [Application Gateway limits](https://docs.microsoft.com/azure/azure-subscription-service-limits#application-gateway-limits)."
+        },
         "sslCertificates": {
           "type": "array",
           "items": {
@@ -2711,6 +2828,13 @@
           },
           "description": "Http listeners of the application gateway resource. For default limits, see [Application Gateway limits](https://docs.microsoft.com/azure/azure-subscription-service-limits#application-gateway-limits)."
         },
+        "sslProfiles": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/ApplicationGatewaySslProfile"
+          },
+          "description": "SSL profiles of the application gateway resource. For default limits, see [Application Gateway limits](https://docs.microsoft.com/azure/azure-subscription-service-limits#application-gateway-limits)."
+        },
         "urlPathMaps": {
           "type": "array",
           "items": {

specification/network/resource-manager/Microsoft.Network/stable/2020-06-01/examples/ApplicationGatewayCreate.json

@@ -57,6 +57,14 @@
             }
           }
         ],
+        "trustedClientCertificates": [
+          {
+            "name": "clientcert",
+            "properties": {
+              "data": "****"
+            }
+          }
+        ],
         "frontendIPConfigurations": [
           {
             "name": "appgwfip",
@@ -107,6 +115,28 @@
             }
           }
         ],
+        "sslProfiles": [
+          {
+            "name": "sslProfile1",
+            "properties": {
+              "sslPolicy": {
+                "policyType": "Custom",
+                "minProtocolVersion": "TLSv1_1",
+                "cipherSuites": [
+                  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
+                ]
+              },
+              "clientAuthConfiguration": {
+                "verifyClientCertIssuerDN": true
+              },
+              "trustedClientCertificates": [
+                {
+                  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/applicationGateways/appgw/trustedClientCertificates/clientcert"
+                }
+              ]
+            }
+          }
+        ],
         "httpListeners": [
           {
             "name": "appgwhl",
@@ -121,6 +151,9 @@
               "sslCertificate": {
                 "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/applicationGateways/appgw/sslCertificates/sslcert"
               },
+              "sslProfile": {
+                "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/applicationGateways/appgw/sslProfiles/sslProfile1"
+              },
               "requireServerNameIndication": false
             }
           },
@@ -285,6 +318,16 @@
               }
             }
           ],
+          "trustedClientCertificates": [
+            {
+              "name": "clientcert",
+              "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/applicationGateways/appgw/trustedClientCertificates/clientcert",
+              "properties": {
+                "provisioningState": "Succeeded",
+                "data": "****"
+              }
+            }
+          ],
           "authenticationCertificates": [],
           "frontendIPConfigurations": [
             {
@@ -340,6 +383,30 @@
               }
             }
           ],
+          "sslProfiles": [
+            {
+              "name": "sslProfile1",
+              "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/applicationGateways/appgw/sslProfiles/sslProfile1",
+              "properties": {
+                "provisioningState": "Succeeded",
+                "sslPolicy": {
+                  "policyType": "Custom",
+                  "minProtocolVersion": "TLSv1_1",
+                  "cipherSuites": [
+                    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
+                  ]
+                },
+                "clientAuthConfiguration": {
+                  "verifyClientCertIssuerDN": true
+                },
+                "trustedClientCertificates": [
+                  {
+                    "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/applicationGateways/appgw/trustedClientCertificates/clientcert"
+                  }
+                ]
+              }
+            }
+          ],
           "httpListeners": [
             {
               "name": "appgwhl",
@@ -356,6 +423,9 @@
                 "sslCertificate": {
                   "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/applicationGateways/appgw/sslCertificates/sslcert"
                 },
+                "sslProfile": {
+                  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/applicationGateways/appgw/sslProfiles/sslProfile1"
+                },
                 "requireServerNameIndication": false
               }
             },
@@ -531,6 +601,16 @@
               }
             }
           ],
+          "trustedClientCertificates": [
+            {
+              "name": "clientcert",
+              "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/applicationGateways/appgw/trustedClientCertificates/clientcert",
+              "properties": {
+                "provisioningState": "Succeeded",
+                "data": "****"
+              }
+            }
+          ],
           "authenticationCertificates": [],
           "frontendIPConfigurations": [
             {
@@ -589,6 +669,30 @@
               }
             }
           ],
+          "sslProfiles": [
+            {
+              "name": "sslProfile1",
+              "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/applicationGateways/appgw/sslProfiles/sslProfile1",
+              "properties": {
+                "provisioningState": "Succeeded",
+                "sslPolicy": {
+                  "policyType": "Custom",
+                  "minProtocolVersion": "TLSv1_1",
+                  "cipherSuites": [
+                    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
+                  ]
+                },
+                "clientAuthConfiguration": {
+                  "verifyClientCertIssuerDN": true
+                },
+                "trustedClientCertificates": [
+                  {
+                    "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/applicationGateways/appgw/trustedClientCertificates/clientcert"
+                  }
+                ]
+              }
+            }
+          ],
           "httpListeners": [
             {
               "name": "appgwhl",
@@ -605,6 +709,9 @@
                 "sslCertificate": {
                   "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/applicationGateways/appgw/sslCertificates/sslcert"
                 },
+                "sslProfile": {
+                  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/applicationGateways/appgw/sslProfiles/sslProfile1"
+                },
                 "requireServerNameIndication": false
               }
             },

specification/network/resource-manager/Microsoft.Network/stable/2020-06-01/examples/ApplicationGatewayGet.json

@@ -42,6 +42,16 @@
               }
             }
           ],
+          "trustedClientCertificates": [
+            {
+              "name": "clientcert",
+              "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/applicationGateways/appgw/trustedClientCertificates/clientcert",
+              "properties": {
+                "provisioningState": "Succeeded",
+                "data": "****"
+              }
+            }
+          ],
           "authenticationCertificates": [],
           "frontendIPConfigurations": [
             {
@@ -97,6 +107,30 @@
               }
             }
           ],
+          "sslProfiles": [
+            {
+              "name": "sslProfile1",
+              "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/applicationGateways/appgw/sslProfiles/sslProfile1",
+              "properties": {
+                "provisioningState": "Succeeded",
+                "sslPolicy": {
+                  "policyType": "Custom",
+                  "minProtocolVersion": "TLSv1_1",
+                  "cipherSuites": [
+                    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
+                  ]
+                },
+                "clientAuthConfiguration": {
+                  "verifyClientCertIssuerDN": true
+                },
+                "trustedClientCertificates": [
+                  {
+                    "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/applicationGateways/appgw/trustedClientCertificates/clientcert"
+                  }
+                ]
+              }
+            }
+          ],
           "httpListeners": [
             {
               "name": "appgwhl",
@@ -113,6 +147,9 @@
                 "sslCertificate": {
                   "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/applicationGateways/appgw/sslCertificates/sslcert"
                 },
+                "sslProfile": {
+                  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/applicationGateways/appgw/sslProfiles/sslProfile1"
+                },
                 "requireServerNameIndication": false
               }
             },