Reverse proxies in front of Ansible Automation Platform on Azure

Ansible Automation Platform on Azure can be deployed with two different access modes, Public and Private. The infrastructure deployed with these two modes may differ in some aspects. Still, they're installed with components that grant access to the application, in the form of an Azure Application Gateway and Nginx, respectively.

Customers may want to add a reverse proxy in front of the entire deployment for various reasons, but a few requirements must be met or the solution may not function correctly.

Note
We provide this solution article to help customers with what must be done to access AAP using an external reverse proxy. Best effort support will be provided in case of connectivity or configuration issues with the external reverse proxy, but the customer will be the one in charge of managing, configuring, or troubleshooting it.

Two requisites must be achieved to reach AAP properly with a custom reverse proxy or Load Balancer.

1. Do not change the host header for the entire flow

2. Ensure proper TLS connectivity to the solution

The first requisite is about passing the correct host header of the request to AAP on Azure. This suggests that the URL the user uses to access AAP must align with either the initial hostname provided during the initial deployment or a custom vanity domain enabled by the customer. The reverse proxy must not change this host header for the entire connectivity flow, or unexpected issues may happen.

About the second requisite, AAP is being exposed with HTTPS/443 endpoints. Proper TLS connectivity must be accomplished between the reverse proxy and the backend, AAP, meaning that the reverse proxy must have all the necessary settings and resources to understand and/or trust the TLS certificate that is being presented by AAP, be it the initial or the vanity domain that the customer wanted to use. We recommend also that access to the reverse proxy be done through HTTPS/443 to ensure end-to-end TLS connectivity.

Please refer to the documentation of the reverse-proxy used to ensure these two requisites are met.