Azure Application Gateway - Multiple SSL Certificates? - azure

Is it possible to set multiple Domains to point to an Azure Application Gateway Public IP and then upload SSL Certificates for each one that can then Offload on the Application Gateway?
For example if we'd like to have 200 LetsEncrypt certificates uploaded and terminating at the gateway, then forwarding traffic onto the internal VM IPs

Is it possible to set multiple Domains to point to an Azure
Application Gateway Public IP and then upload SSL Certificates for
each one that can then Offload on the Application Gateway?
Yes, it is possible to set multiple domains to point to an Azure Application Gateway Public IP.
It is also possible to upload SSL certificates for each one so that Application Gateway offloads it.
However, there are limits. Please read below.
According to https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#application-gateway-limits you can upload a maximum of 20 certificates to a single Application Gateway resource, and only one certificate per HTTP listener.
You can however generate SAN certificate through LetsEncrypt and have a single certificate for multiple domains:
Can I get a certificate for multiple domain names (SAN certificates or
UCC certificates)?
Yes, the same certificate can contain several different names using
the Subject Alternative Name (SAN) mechanism.
https://letsencrypt.org/docs/faq/
I do not have experience yet with LetsEncrypt and do not know how to generate SAN certificate through LetsEncrypt.
We have SAN certificate (paid) through another company for multiple domains working in Application Gateway.

Related

Azure Application gateway health check certificate mismatch

I am trying to move our API Management instance behind the application gateway. I created a private dnszone on which the API management ETC is listening. I created Self Signed certificates for this private DNS zone0.
Uploaded the root certificate to the certificates tabs under security, as well as under the HTTP(s) settings tab of the application gateway. however my custom healt probe and health check keep mentioning that the CN Name does not match that one of the backend.
I have to mention that hostname of the listener is a different hostname (our public domain name) than the hostname i used on the private DNS Zone. Is this a problem?
You have to add the same custom domain used by application gateway to the api management service.
Api management is multi site service so it does not respond to the custom host names that are not defined under its custom domains because simply it does not know to which component/site it has to route the incoming request, also the the same extracted .CER certificate of the pfx certificate uploaded to api management should be added to the backend http settings for whitelisting purposes if you chose end to end ssl encryption, if you add a different certificate you will get a certificate mismatch error.

Can I get SSL certificate for website running in Azure VM at westeurope.cloudapp.azure.com subdomain

I have created Windows Server VM in Azure and deployed my site to IIS, which is now accessible at https://mysite.westeurope.cloudapp.azure.com/
however I get certificate error when I try to visit it from outside the vm.
how do I configure the VM to have proper https without certificate errors (just like app service - mysite.azurewebsites.net)?
As the comments from micker #micker, you can't get an SSL certificate for this subdomain westeurope.cloudapp.azure.com which is owned by Microsoft.
Since you host your websites on Azure VM, you could purchase a domain then get an SSL certificate for your own domain, then bind the SSL certificate to your custom domain in IIS on the Azure VM. You can either purchase that certificate through Azure or an external provider or get a free SSL cert from Let's Encrypt.
However, if you just want to have a test in your test environment, you can use a self-signed certification with this DNS name like vma.centralus.cloudapp.azure.com. You can follow steps in How To Create A SHA-256 Self-Signed Certificate on the Azure VM then export this cert .cer format file on the Azure VM and import the .cer cert under the mmc---certificate---local machine---Trusted root certification Authorities on the machine where you want to access the websites. Please note this It's not recommended to use self-signed cert in your production environment.
I had same issue, and I found resolution without custom domain using following additional azure settings.
create Azure WAF, add custom rules to deny if not in IP list - this is if you need ip whitelisting, useful if your main domain uses akamai or other edge routing to point to external hosting of subdomains, you can use whitelist to restrict access to the akamai or other servers, though this takes some big lists you must paste of ranges one row at a time. Set any other web app firewall rules you want enforced for allow/deny.
Create Azure Front Door named like you want as an endpoint url e.g. myappfrontdoor will make myappfrontdoor.azurefd.net. in backend pool specify the your public-ip shared dns name (see step 3) like myapptest..cloudapp.azure.com.
This is the important step : in Settings at top of front door designer, disable cert validation. in routing rules config, no condition, forward to backend pool setup in prior step. This ignores the fact that you cannot cert your cloudapp.azure.com endpoint, and wraps it with a *.azurefd.net certificate.
In your azure firewall, Edit NAT rules, set rule name myapp-web-fd-... , tcp, ip address, 147.243.0.0/16 (this is Azure's front door backend ip range). destination should be the firewall's own public ip. destination port 443, translated address should be the target vm's azure internal ip, target port - service port.
Now you will have a site like myappfrontdoor.azurefd.net.
Note that Azure Front Door and WAF have their own pricing costs, so maybe it is cheaper for you to buy a domain. Hopefully you are also using Azure Firewall, though expensive. If not, one could point to public ip directly on NSG or on vm itself but I wouldn't skip having a firewall for a public server. There is a standing Azure enhancement request to get Azure Front Door to recognize certificates, but it was triaged 2 years ago and still not added, so not sure if it will be worked. If it ever does get worked, devs could make own cert auth and self-signed cert with expirations to more securely hook front door to azure internal vm. For now, have to rely on the front door backend setting, waf, and azure firewall to have these things routed.
There are some options in Akamai and other edge routing systems to import cert and self-created authority sort of, but I've not tried that yet, so cannot confirm this would cleanly wrap your azure site without cert errors. You can make a self-signed authority using openssl commands as noted in other posts out and about on the web.
The simplest and cheapest option is to purchase a domain and use a cname dns record to map your new domain to your Azure subdomain address - an "A" record is not required. Also per answer above, a WAF is expensive and possibly unnecessary for a test set up (but a requirement for a production website). You can use Certbot and NGINX to create a free Lets Encrypt certificate for your domain and assign it to your website.
Adding a Public IP Address, Load Balancer, and Network Security Group to your Azure Resource Group may also be required to provide access to your website. This is largely how my test configuration is set up except I'm using a Linux VM, have a single wildcard certificate, and use NGINX to reverse proxy 3 websites.

How to get "HTTPS" / SSL Working - Azure WAF (application gateway) with 2 Websites on Linux

I am having trouble with getting SSL/HTTPS working on a Azure WAF (ApplicationGateway) (http / port:80 is working fine)
I will explain the scenario as basic as possible:
The developer has made two websites (for this example: let’s say X.com and Y.com) both on a Linux Front End server in AZURE which sit behind a NSG as well as a Azure Application Gateway WAF
The developer points DNS records of X.com and Y.com to the WAF's single IP (appGatewayFrontendIP)
Users can browse through to both websites http / port:80 with no problem.
The trouble now lies with how to get SSL working, so far:
The developer has applied SSL certificates to both websites on the Linux Web Server in Azure
How does one get SSL working on the WAF?
I have been looking through MS Docs all day but not really sure how to get this to work (https://learn.microsoft.com/en-us/azure/application-gateway/create-ssl-portal)
I see we need to put a PFX certificate inside - I am assuming a selfsigned one is NOT the way to go. However I am non the wiser as to what I do in this scenario -
How do I get a PFX certificate and how does this work when you have 2 websites on a single Front End Linux Server -
Do I need to take off the SSL Certs on the Front End Linux server and instead of .cert get a .PFX cert and upload via Azure Portal?
Any help truly welcome! :)
Thanks
If you want the front-end (ie public IP) to serve up HTTPS you'll need the PFX certificate assigned to the listener of the appropriate back-end site.
For example:
XPfxCert should be assigned to the listener that directs traffic to the X.com app
YPfxCert should be assigned to the listener that directs traffic to the Y.com app
This will encrypt traffic between your customers and the WAF. You'll need to obtain one from a certificate authority (eg. comodoca.com) to ensure your end user does not get one of those errors like you'd see here if you used self-signed: https://self-signed.badssl.com/
In addition you'll need different certs for the back-end. This will encrypt traffic between the WAF and your apps (even though they're all in Azure you'll still need this). It gets assigned in the HTTPSettings. You may be able to get away with self-signed here; however, at our work we use CA provided certs for both.
Lastly, if the goal is to host both X.com and Y.com on the same VM you should be able to configure path based rules that would direct traffic appropriately. As an alternative you could have multiple NICs on your VM and configure multiple back-end pools to direct traffic to the appropriate site.
References:
https://vincentlauzon.com/2017/07/17/azure-application-gateway-anatomy/
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-end-to-end-ssl-powershell
Assuming you have two different certificates for X.com and Y.com, then you should associate these certificates with the corresponding multi-site listeners which you would have created listening on port 443. The you should create two new rules which associate these listeners to corresponding backend pools using HTTP setting. Please remember to delete any other rules apart from the 4 rules (2 for HTTPS listener and 2 for HTTP listener).
At this point you should be able to send traffic to these listeners which would terminate SSL and run WAF rules. Since your backend is already configured to listen on port 80, it should work as is with existing HTTP Settings. The backend communication is over HTTP.
If you want to enable end to end SSL - ie rencrypt the traffic to backend then you should follow documentation on enabling end to end SSL on the above setup.

Is it possible to associate a single wildcard SSL certificate with multiple separate App Service instances?

We have a number of discrete App Service Plan instances (separated to simplify tenant billing), each hosting a number of Web App instances. Each App is on a subdomain of the same parent:
AppService-1:
subone.mydomain.com
subtwo.mydomain.com
AppService-2:
subthree.mydomain.com
&c...
Can we purchase a single wildcard SSL certificate (from Azure, or elsewhere) for *.mydomain.com and apply it to all three subdomains in the example above, or do we need a separate certificate for each App Service Plan?
YES. You have a valid scenario where you can use a single wild card domain for multiple sub-domains. I am attaching a screenshot of my setup below. If you see I have mapped the same certificate for multiple domains.
This will also work with another App Service Plan. These are the things to note though:
If the second app service plan is in the same resource group, then you need not Import/Upload the certificate.
If the second app service plan is in a different resource group, then you will have to again Import/Upload the certificate.
Certificates are specific to Resource Group and are visible to all the web apps in that resource group.
Also I have my certificate issued for both root domain and Wildcard. This way I can cover more scenarios.
NOTE: Even though there are multiple IP-Based SSL bindings in the screenshot below, there is only IP assigned to the webapp. As there is
only certificate which meets all the requirements, the bindings are simple
re-using the existing resource (IP).
Yes, it is possible to associate a single wildcard SSL certificate with multiple separate App Service.
You do not need to purchase an individual SSL Certificates.
Get a Wildcard SSL Certificate for *.domain.com.
It will allow you to secure anything.domain.com, means security for the unlimited number of sub-domains.
But make sure the Certificate Authority from where you have purchased the Wildcard SSL should offering unlimited server license.
Certificate Authorities like Comodo, RapidSSL, Thawte, and GeoTrust are offering unlimited server license along with their Wildcard SSL.
Yes, you can do that. What you would do is create a certificate resource and assign that resource to the Web Apps. You might need a separate certificate resource for each app service plan.
Yes, you can use same wildcard SSL certificate for your web app services, but make sure that all AppServices are hosted under the same domain. Major certificates authorities are offering unlimited server licenses with their wildcard certificate, you have to configure your certificate on your multiple servers.
AppService-1:
sub1.mydomain.com
sub2.mydomain.com
AppService-2:
sub3.mydomain.com
sub4.mydomain.com
AppService-3:
sub5.mydomain.com
sub9999.mydomain.com
AlphaSSL, Comodo, RapidSSL offers domain validated low-cost wildcard certificate where Thawte, GlobalSign, and GeoTrust offers organization validated certificate at the higher prices.

Bluemix scalable container group custom domain SSL certificate

Ok, I have finally managed to get my node.js container up and running using a scalable container group and a custom domain.
The problem that now remains is: How do you get the self-signed certificate to be used by Bluemix when accessing the app through https://my-app.mydomain.com?
Https works, but it shows the wildcard *.mybluemix.net certificate instead of the one I added to the domain that I added to my organisation. Visiting https://my-app.mybluemix.net is ok since then the wildcard mybluemix.net certificate is valid.
Yes, I have seen this one as well as read the SSL part of the Bluemix docs.
developerWorks: SSL Certificates and Bluemix Custom Domains
Your DNS should use an A record pointing to 75.126.81.68. This IP address is used by Bluemix for SSL traffic in the US-South region.
If you are using an A record with 75.126.81.66 or use a CNAME record pointing to your app's route (e.g. my-app.mybluemix.net), then you will see the *.mybluemix.net certificate instead of your custom certificate that you uploaded to Bluemix and associated to your custom domain.

Resources