• 2 min read

Enhance security and simplify network integration with Extension Host on Azure Stack

Today we inform you about a change coming to the Azure Stack infrastructure and how endpoints get published using a firewall. This blog post does inform you about the rollout timeline and to prepare for careful planning in advance.

We are excited to share a new capability we are bringing to Azure Stack to further enhance the security posture and simplify network integration for our customers. Today, each Azure Service on Azure Stack adds functionality to the portal for its portal experience via a module called, a portal extension. Each of these portal extensions uses a separate network port. As the number of Azure services increases, so do the number of ports that must be opened on a firewall that supports Azure Stack.

Our customers told us we need to improve this this posture, and we’ve listened. We’re bringing the Extension Host solution to Azure Stack so only one port (443) is required to be opened. This solution is already available on Azure, allowing all requests to be funneled through one port, reducing the ports that need to be opened on the firewall, and allowing customers to communicate with these end points via proxy servers.

In its first release, the User and Admin portal default extensions have moved to this model, thereby reducing the number of ports from 27 to one. Over time, additional services such as the SQL and MySQL providers will also be changed to use the Extension Host model.

The implementation of Extension Host requires two wild card SSL certificates, one for the Admin portal and one for the Tenant portal. Customers who have already deployed Azure Stack systems will need to provide these two additional certificates by the time the 1811 update is released, so there is still some time to acquire and prepare for this capability. The 1811 update will require these two certificates be imported before the update can be applied. Effectively, the 1811 update will enable Extension Host.

New deployments of Azure Stack will start requiring these two additional certificates sometime in September 2018. Please check with your Azure Stack hardware partner for specifics on when they require these additional certificates for new deployments.

To prepare for the use of these certificates, we have enhanced the Azure Stack Readiness Checker tool. You can use it to validate certificates acquired for Extension Host, as well as generate the appropriate certificate signing request for these two certificates.

Thanks for your continued feedback and support for Azure Stack. Please share any thoughts or questions in the comments section below.

Additional Information