I'm struggling to understand how all things need to be configured in the following scenario:
api.<appname>.dev.client.com
So, I've applied another custom domain to the Static Web App (<appname>.dev.client.com
), the certificate is not needed as it's created automatically by Azure. All good here.
Now I would like to understand how and what I need to configure for the Application Gateway and AKS to work properly with the new certificate and domain. At the moment I have:
<appname>-dev.uksouth.cloudapp.azure.com
. I guess this needs to be changed to api.<appname>.dev.client.com
, correct? Also, it's this listener where I should apply the certificate stored in Key Vault (will use Terraform), right?<appname>-dev.uksouth.cloudapp.azure.com
. I suppose I can keep this as it is, but put the CNAME record of <appname>-dev.uksouth.cloudapp.azure.com
against my custom domain.aks-ingress.<appname>-dev.uksouth.cloudapp.azure.com
which matches the private DNS zone that is linked to the AKS Ingress Controller IP address. Do I need to change this one?In all of this, which certificate am I supposed to pass to the AKS ingress controller? The custom one tied to my domain? How is it going to validate it against my domain?
You can use HTTPS listener api.<appname>.dev.client.com
as the host name so that application gateway listens for incoming requests on the custom domain and forward them to the appropriate backend pool of your AKS cluster.
You can apply the certificate stored in Key Vault using terraform or via portal like below:
Yes, you need to configure a CNAME record for your custom domain api.<appname>.dev.client.com
to point to <appname>-dev.uksouth.cloudapp.azure.com
.
The backend FQDN should be the hostname on which the application is available, and it should be reachable by the App Gateway. This FQDN should match the private DNS zone linked to the AKS Ingress Controller IP address.
According to the type of certificate If your backend server's certificate is issued by a well-known Certificate Authority (CA), you can check the option Backend server’s certificate is issued by a well-known CA as Yes in the backend settings of the Application Gateway. Refer
You can also use a self-signed certificate You need to upload the root certificate of your certificate to the Application Gateway but the cert on App Gateway should be trusted.
Make sure that neither the hostname for the Custom Probe nor the hostname for the Backend configuration (in that order) matches the Common Name of the backend server's certificate when you select the HTTPS protocol in the backend configuration. Refer
while using Custom Probe you can use the host field to specify the Common Name of the backend server certificate.
In the probe settings, you can select Pick hostname from backend setting if the Backend Setting has been configured with the same hostname.
At last, you have to pass the Custom certificate associated with your domain to the AKS Ingress Controller. The AKS Ingress Controller will validate the certificate against the domain specified in the certificate