Say, I have two app service (HTTPS only is enabled):
https://myapp1.azurewebsites.net
https://myapp2.azurewebsites.net
I can call both app service endpoints using HTTPS successfully.
Then I created a traffic manager and add above two endpoints to traffic manager, say:
myapps.trafficmanager.net
After the traffic manager is created and endpoint added, the trafficmanger host name myapps.trafficmanager.net is also automatically added into custom domains of two app services. But without SSL binding to traffic manager host name.
Then if I call traffic manager endpoint using HTTPS: https://myapps.trafficmanager.net, I will got untrusted SSL cert error/warning. That is expected.
Since traffic manager just works on DNS level, the real request is actually send to the app service endpoint which has correct SSL cert binding. My question is:
From security point of view, is it safe to call the non-cert binding traffic manager endpopint using HTTPS in my code (say, using .NET HttpClient) but just ignore the cert error?
I recently set one of these up as well and fought with it for a bit. The short answer is that it is probably safe, but it sounds like you may be using the Traffic Manager incorrectly. You shouldn't be using the URL in the Traffic Manager as your end point if you want to use SSL. Instead configure your vanity domain name, mycoolsite.com to point to myapps.trafficmanager.net, using a DNS CNAME record.
If you want to use SSL and a single URL you should configure the custom URL and install an SSL cert at the service level. It should be same custom URL on both app services. This must be configured at in the app service, not in Traffic Manager.
I had to read this a few times to understand how it works under the hood, but it was helpful.
So in summary, to set it up properly, the steps would be:
Configure custom/vanity domain on both app services
Install the SSL cert on both app services
Setup and configure the Traffic Manager
Point the custom/vanity URL to the traffic manager using a DNS CNAME record
There is no need to bind a cert with traffic manager since the server certificate is not validated when using traffic manager health probes via HTTPS. Moreover, the traffic manager works at the DNS level. The clients connect directly to the selected endpoint, not through Traffic Manager.
In this case, you could use HTTPS for endpoints and use health probe via HTTPS. Even you could not bind a cert with traffic manager, you could make sure that the monitoring port is configured correctly in Traffic Manager (e.g. 443 instead of 80) and also your monitoring path points to a valid page for your service.
Another SO answer explains this more details. If you still want to make this warning disappearing, you can get a free SSL from letsencrypt.org and add that to your custom domain with the *.trafficmanager.net.
Related
I have a Azure cloud service (abc.cloudapp.net) which has authentication enforced using OpenId-Connect. Recently I decided to put it behind a Traffic Manager (abc.trafficmanager.net) for maintenance reasons. After reading about how Traffic Manager works on Microsoft docs, my understanding (as per the flow diagram below) was that when someone hits the TM, it will simply do the DNS look-up for my cloud service and return a 302 with the location as abc.cloudapp.net (or IP may be) and then the client follows the redirect. The documentation clearly says so :
The most important point to understand is that Traffic Manager works at the DNS level. Traffic Manager uses DNS to direct clients to specific service endpoints based on the rules of the traffic-routing method. Clients connect to the selected endpoint directly. Traffic Manager is not a proxy or a gateway. Traffic Manager does not see the traffic passing between the client and the service.
But what I am seeing (through Fiddler/Chrome dev-tools) is that TM seems to be hitting the actual cloud service endpoint causing authentication issues as the redirect URL in my cloud service doesn't match the TM URL and so forth.
Is TM supposed to do this? Or am I missing something crucial here. Below is a related thread.
RequireNonce is 'true' (default) but validationContext.Nonce is null in Azure Traffic Manager , OpenIdConnectAuthentication
Traffic manager operates at DNS level, there is no 302 since it does not operate using HTTP. When a client makes a DNS query for your domain name, traffic manager will send back a DNS reply that the service is over there.
The client will then connect to the Traffic Manager URL/your custom domain using the IP address given by traffic manager.
So the URL the user sees doesn't change, traffic manager just tells them where the service is.
I have created Windows Server VM in Azure and deployed my site to IIS, which is now accessible at https://mysite.westeurope.cloudapp.azure.com/
however I get certificate error when I try to visit it from outside the vm.
how do I configure the VM to have proper https without certificate errors (just like app service - mysite.azurewebsites.net)?
As the comments from micker #micker, you can't get an SSL certificate for this subdomain westeurope.cloudapp.azure.com which is owned by Microsoft.
Since you host your websites on Azure VM, you could purchase a domain then get an SSL certificate for your own domain, then bind the SSL certificate to your custom domain in IIS on the Azure VM. You can either purchase that certificate through Azure or an external provider or get a free SSL cert from Let's Encrypt.
However, if you just want to have a test in your test environment, you can use a self-signed certification with this DNS name like vma.centralus.cloudapp.azure.com. You can follow steps in How To Create A SHA-256 Self-Signed Certificate on the Azure VM then export this cert .cer format file on the Azure VM and import the .cer cert under the mmc---certificate---local machine---Trusted root certification Authorities on the machine where you want to access the websites. Please note this It's not recommended to use self-signed cert in your production environment.
I had same issue, and I found resolution without custom domain using following additional azure settings.
create Azure WAF, add custom rules to deny if not in IP list - this is if you need ip whitelisting, useful if your main domain uses akamai or other edge routing to point to external hosting of subdomains, you can use whitelist to restrict access to the akamai or other servers, though this takes some big lists you must paste of ranges one row at a time. Set any other web app firewall rules you want enforced for allow/deny.
Create Azure Front Door named like you want as an endpoint url e.g. myappfrontdoor will make myappfrontdoor.azurefd.net. in backend pool specify the your public-ip shared dns name (see step 3) like myapptest..cloudapp.azure.com.
This is the important step : in Settings at top of front door designer, disable cert validation. in routing rules config, no condition, forward to backend pool setup in prior step. This ignores the fact that you cannot cert your cloudapp.azure.com endpoint, and wraps it with a *.azurefd.net certificate.
In your azure firewall, Edit NAT rules, set rule name myapp-web-fd-... , tcp, ip address, 147.243.0.0/16 (this is Azure's front door backend ip range). destination should be the firewall's own public ip. destination port 443, translated address should be the target vm's azure internal ip, target port - service port.
Now you will have a site like myappfrontdoor.azurefd.net.
Note that Azure Front Door and WAF have their own pricing costs, so maybe it is cheaper for you to buy a domain. Hopefully you are also using Azure Firewall, though expensive. If not, one could point to public ip directly on NSG or on vm itself but I wouldn't skip having a firewall for a public server. There is a standing Azure enhancement request to get Azure Front Door to recognize certificates, but it was triaged 2 years ago and still not added, so not sure if it will be worked. If it ever does get worked, devs could make own cert auth and self-signed cert with expirations to more securely hook front door to azure internal vm. For now, have to rely on the front door backend setting, waf, and azure firewall to have these things routed.
There are some options in Akamai and other edge routing systems to import cert and self-created authority sort of, but I've not tried that yet, so cannot confirm this would cleanly wrap your azure site without cert errors. You can make a self-signed authority using openssl commands as noted in other posts out and about on the web.
The simplest and cheapest option is to purchase a domain and use a cname dns record to map your new domain to your Azure subdomain address - an "A" record is not required. Also per answer above, a WAF is expensive and possibly unnecessary for a test set up (but a requirement for a production website). You can use Certbot and NGINX to create a free Lets Encrypt certificate for your domain and assign it to your website.
Adding a Public IP Address, Load Balancer, and Network Security Group to your Azure Resource Group may also be required to provide access to your website. This is largely how my test configuration is set up except I'm using a Linux VM, have a single wildcard certificate, and use NGINX to reverse proxy 3 websites.
I have an Azure App Service with HTTPs enabled only and Azure Active Directory as a way to Authenticate to the service.
I am planing to geo-locate my App Service on a second region but at the moment I am trying to test that Azure Traffic Manager works with my current site. However, there are few things that are confusing me:
When I created the ATM, the DNS name was HTTP and not HTTPs. Seems there is no option to have a DNS name with HTTP.
After I added the endpoint, I tried to navigate to the URL http://foo.trafficmanager.net and it redirects to https://foo.trafficmanager.net/ and shows the following error. This site is not secure. Seems there is a certificate error. Why is rerouting automatically to HTTPs now?
Is there any documentation step by step to configure ATM? I am not interested in purchasing a domain, I am totally fine with https://foo.trafficmanager.net/ as my URL as long as the connection is secure all the time.
Azure Traffic Manager supports probing both over HTTPS and HTTP. For HTTPS:
Server-side certificates are not validated
SNI server-side certificates are not supported
Client certificates are not supported
There are more details you can take a look: FAQs and Traffic Manager endpoint monitoring.
With HTTPS, the monitoring port should change from 80 to 443 and also your monitoring path points to a valid page for your service.
Update
There is an issue that what does Azure Traffic Manager work. For more details, see What is Traffic Manager.
Azure Traffic Manager is a DNS-based traffic load balancer that
enables you to distribute traffic optimally to services across global
Azure regions while providing high availability and responsiveness.
The DNS of Traffic Manager itself just uses the HTTP protocol. But it can probe both HTTP and HTTPS. All the HTTPS for your application just set in your Web App Service.
Hope this will help you.
I am having trouble with getting SSL/HTTPS working on a Azure WAF (ApplicationGateway) (http / port:80 is working fine)
I will explain the scenario as basic as possible:
The developer has made two websites (for this example: let’s say X.com and Y.com) both on a Linux Front End server in AZURE which sit behind a NSG as well as a Azure Application Gateway WAF
The developer points DNS records of X.com and Y.com to the WAF's single IP (appGatewayFrontendIP)
Users can browse through to both websites http / port:80 with no problem.
The trouble now lies with how to get SSL working, so far:
The developer has applied SSL certificates to both websites on the Linux Web Server in Azure
How does one get SSL working on the WAF?
I have been looking through MS Docs all day but not really sure how to get this to work (https://learn.microsoft.com/en-us/azure/application-gateway/create-ssl-portal)
I see we need to put a PFX certificate inside - I am assuming a selfsigned one is NOT the way to go. However I am non the wiser as to what I do in this scenario -
How do I get a PFX certificate and how does this work when you have 2 websites on a single Front End Linux Server -
Do I need to take off the SSL Certs on the Front End Linux server and instead of .cert get a .PFX cert and upload via Azure Portal?
Any help truly welcome! :)
Thanks
If you want the front-end (ie public IP) to serve up HTTPS you'll need the PFX certificate assigned to the listener of the appropriate back-end site.
For example:
XPfxCert should be assigned to the listener that directs traffic to the X.com app
YPfxCert should be assigned to the listener that directs traffic to the Y.com app
This will encrypt traffic between your customers and the WAF. You'll need to obtain one from a certificate authority (eg. comodoca.com) to ensure your end user does not get one of those errors like you'd see here if you used self-signed: https://self-signed.badssl.com/
In addition you'll need different certs for the back-end. This will encrypt traffic between the WAF and your apps (even though they're all in Azure you'll still need this). It gets assigned in the HTTPSettings. You may be able to get away with self-signed here; however, at our work we use CA provided certs for both.
Lastly, if the goal is to host both X.com and Y.com on the same VM you should be able to configure path based rules that would direct traffic appropriately. As an alternative you could have multiple NICs on your VM and configure multiple back-end pools to direct traffic to the appropriate site.
References:
https://vincentlauzon.com/2017/07/17/azure-application-gateway-anatomy/
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-end-to-end-ssl-powershell
Assuming you have two different certificates for X.com and Y.com, then you should associate these certificates with the corresponding multi-site listeners which you would have created listening on port 443. The you should create two new rules which associate these listeners to corresponding backend pools using HTTP setting. Please remember to delete any other rules apart from the 4 rules (2 for HTTPS listener and 2 for HTTP listener).
At this point you should be able to send traffic to these listeners which would terminate SSL and run WAF rules. Since your backend is already configured to listen on port 80, it should work as is with existing HTTP Settings. The backend communication is over HTTP.
If you want to enable end to end SSL - ie rencrypt the traffic to backend then you should follow documentation on enabling end to end SSL on the above setup.
I have a Website running on Azure. I added a custom domain and an SSL to enable https access to it.
All is fine. Few days ago Azure had a network issue in a datacenter where my website is hosted( West Europe) and of course my site was affected during that time.
So i've decided now to put my site under traffic manager and deploy it in 2 regions.
Configuring Http acces with ATM works. But when i switch to Https( choosing https protocol in ATM config page) all endpoints get "Degraded" status.
so, my questions are: do i have to add certifcate to traffic manager in order to use https? How can i add https endpoints to ATM?
Traffic Manager supports health probes via both HTTP and HTTPS. Note that when using HTTPS health checks:
The server certificate is not validated (hence there's no need to
register the certificate with Traffic Manager)
Client certificates are not supported
SNI certificates are not supported
Please check the above. Please also check that your monitoring port is configured correctly in Traffic Manager (e.g. 443 instead of 80) and also your monitoring path points to a valid page for your service.
These pages may be helpful:
Traffic Manager endpoint monitoring
Troubleshooting 'Degraded' endpoint status
If you still can't get it to work, please raise a Support ticket. If you do solve the problem, please reply back to let us know what it was
Regards,
Jonathan Tuliani, Program Manager, Azure Traffic Manager