NGINXaaS: Add private subnet OIDC with Microsoft Entra ID guide #1395
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
documentation
mjang
reviewed
Nov 5, 2025
|
|
||
| Learn how to configure F5 NGINXaaS for Azure with OpenID Connect (OIDC) authentication using Microsoft Entra ID when your NGINXaaS deployment is in a private subnet. This guide addresses the networking requirements to enable authentication traffic to reach Microsoft Entra ID endpoints while maintaining security controls. | ||
|
|
||
| When NGINXaaS is deployed in a private subnet, authentication traffic must reach external Microsoft Entra ID endpoints at `login.microsoftonline.com`. This guide provides two solutions to enable this connectivity while controlling outbound traffic: |
There was a problem hiding this comment.
So when we have three solutions....
Suggested change
| When NGINXaaS is deployed in a private subnet, authentication traffic must reach external Microsoft Entra ID endpoints at `login.microsoftonline.com`. This guide provides two solutions to enable this connectivity while controlling outbound traffic: | |
| When NGINXaaS is deployed in a private subnet, authentication traffic must reach external Microsoft Entra ID endpoints at `login.microsoftonline.com`. This guide provides the following solutions to enable this connectivity while controlling outbound traffic: |
| 1. **Azure Firewall** - Higher security, more granular control | ||
|
|
||
| ## Before you begin | ||
|
|
There was a problem hiding this comment.
Need some sort of intro, such as:
Suggested change
| To complete this guide, you need to set up the following: | |
| {{< table >}} | ||
| | Feature | Azure NAT Gateway | Azure Firewall | | ||
| |---------|-------------------|----------------| | ||
| | **Hourly Cost** | Lower ($0.045+ per hour) | Higher ($1.25+ per hour) | |
There was a problem hiding this comment.
It might be better to link to the Azure source for these costs.
Otherwise, if Azure raises their prices, a customer could say: "But NGINX told us that the price would be..."
| {{< call-out "note" >}}The `oidc_jwt_keyfile` endpoint is not listed in the Microsoft App Registration's endpoints pane but is required for proper OIDC configuration.{{< /call-out >}} | ||
|
|
||
| 1. Configure DNS resolution appropriately: | ||
| - For IPv4-only deployments, set `ipv6=off` in your resolver directive in the `openid_connect.server_conf` file |
There was a problem hiding this comment.
Since this is a duplicate of current line 75
Suggested change
| - For IPv4-only deployments, set `ipv6=off` in your resolver directive in the `openid_connect.server_conf` file |
| 1. **Route Configuration**: Confirm the route table is properly associated with the NGINXaaS subnet. | ||
|
|
||
| ## Security considerations | ||
|
|
There was a problem hiding this comment.
Need some sort of intro, such as:
Suggested change
| To secure your systems, address the following: | |
| - **Network Segmentation**: Consider additional network segmentation for enhanced security. | ||
|
|
||
| ## Cost optimization | ||
|
|
There was a problem hiding this comment.
Suggested change
| To optimize your systems, we recommend: | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed Changes
This PR adds documentation for configuring OIDC authentication with Microsoft Entra ID in private subnet NGINXaaS deployments, addressing networking challenges for external authentication endpoints.
Changes Made
Benefits
Checklist
Before sharing this pull request, I completed the following checklist:
Footnotes
Potentially sensitive information includes personally identify information (PII), authentication credentials, and live URLs. Refer to the style guide for guidance about placeholder content. ↩