3

I'm trying to implement SSL offload in Azure Application Gateway as described in documentation: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-portal

It requires to upload existing SSL certificate in PFX format.

How can I generate it?

I assume it should be specific for the DNS name of the Application Gateway. I can see it has automatically generated DNS name in the associated appGatewayFrontendIP (Frontend IP configurations > Public > Public IP address), but I can't specify the DNS name I want.

Am I supposed to create a CNAME in my DNS domain for the Application Gateway and generate a certificate for this CNAME?

Ivan
  • 9,089
  • 4
  • 61
  • 74
  • Think of it as being your webserver. What SSL certificate would you upload to your webserver? The one that matches your domain (example.com or example.local). – evilSnobu Jan 06 '17 at 18:46

1 Answers1

4

Ivan, Application Gateway forwards the host header in the incoming client request to the backend servers. So in your case if you have a certificate for mydomain.com, you would upload that pfx for that certificate for application gateway to do the decrypt/re-encrypt, and yes you would need a CNAME record for mydomain.com pointing to .cloudapp.net which if your dynamically created dns name for your public IP address. In that case the correct host header would be sent to your backend servers.

George Wallace
  • 146
  • 3
  • Thanks for confirming this... will test it and let you know. Would be cool if someone had a template.json example with all these entities together :) – Ivan Feb 02 '17 at 22:18
  • 2
    I write the documentation for application gateway on https://learn.microsoft.com, I am working on updating the templates we reference in the documentation to a more robust template, I hope to get that done in the near future.. – George Wallace Feb 03 '17 at 17:20