client certificate validation on APIM

Question

I want to implement client certificate validation in Azure API Management policy to check if the client has a valid certificate as per the below documentation.

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients

I have Application gateway in front of API Management service deployed in internal mode connected to vnet.

I have the same issue as mentioned in the below artile. The certificate is not being passed down to the APIM. Client Certificate is not being passed on by Azure Application Gateway

I see that there is support for Mutual Authentication with application gateway in preview mode. Is this the only possible option to fix this issue. Any timelines on the release for this feature on v1 application gateways. https://docs.microsoft.com/en-us/azure/application-gateway/mutual-authentication-overview

Will the certificate be passed to APIM gateway to validate the client certificate with this feature enabled.

My APIM policy works fine when the traffic is coming to the internal endpoint when I try to access the API from within the network. This route doesnt pass through Application gateway in our setup and works fine. But having trouble getting the external access enabled with client certificates

Answer 1

"Will the certificate be passed to APIM gateway to validate the client certificate with this feature enabled" - no, it won't.

An answer from Microsoft:

We do have option for mutual authentication on Application Gateway which can allow the mutual authentication between client and Application Gateway : https://docs.microsoft.com/en-us/azure/application-gateway/mutual-authentication-overview

However this is still in preview version, which is not included in SLA. As the mutual authentication between AppGW and the APIM we double confirmed with the backend engineers, unfortunately the answer is no we do not support such a function.