Custom Domain and Certificates on AKS with App Gateway
I'm struggling to understand how all things need to be configured in the following scenario:
- custom domain registered by the client to be something like
api.<appname>.dev.client.com - managed service app certificate bought in Azure for the same domain (no wildcard, the client would like to avoid it)
- the front-end is hosted in a Azure Static Web App
- the back-end is hosted in AKS, served through an Application Gateway (the Ingress Controller being used in AKS is the traefik ingress controller)
So, I've applied another custom domain to the Static Web App (<appname>.dev.client.com), the certificate is not needed as it's created automatically by Azure. All good here.
Now I would like to understand how and what I need to configure for the Application Gateway and AKS to work properly with the new certificate and domain. At the moment I have:
- An HTTPS Listener in the App Gateway setup to use the host name:
<appname>-dev.uksouth.cloudapp.azure.com. I guess this needs to be changed toapi.<appname>.dev.client.com, correct? Also, it's this listener where I should apply the certificate stored in Key Vault (will use Terraform), right? - A Public IP address currently configured with a DNS label of:
<appname>-dev.uksouth.cloudapp.azure.com. I suppose I can keep this as it is, but put the CNAME record of<appname>-dev.uksouth.cloudapp.azure.comagainst my custom domain. - The backend pool in the App Gateway is currently setup with backend target a FQDN being:
aks-ingress.<appname>-dev.uksouth.cloudapp.azure.comwhich matches the private DNS zone that is linked to the AKS Ingress Controller IP address. Do I need to change this one? - The backend setting for HTTPS requires a Root certificate, can I just check "Backend server’s certificate is issued by a well-known CA" to "Yes" or do I need to upload the root certificate of my certificate? Or can I even use a self-signed certificate?
In all of this, which certificate am I supposed to pass to the AKS ingress controller? The custom one tied to my domain? How is it going to validate it against my domain?
You can use HTTPS listener api.<appname>.dev.client.com as the host name so that application gateway listens for incoming requests on the custom domain and forward them to the appropriate backend pool of your AKS cluster.
You can apply the certificate stored in Key Vault using terraform or via portal like below:
Yes, you need to configure a CNAME record for your custom domain
api.<appname>.dev.client.comto point to<appname>-dev.uksouth.cloudapp.azure.com.The backend FQDN should be the hostname on which the application is available, and it should be reachable by the App Gateway. This FQDN should match the private DNS zone linked to the AKS Ingress Controller IP address.
According to the type of certificate If your backend server's certificate is issued by a well-known Certificate Authority (CA), you can check the option Backend server’s certificate is issued by a well-known CA as Yes in the backend settings of the Application Gateway. Refer
You can also use a self-signed certificate You need to upload the root certificate of your certificate to the Application Gateway but the cert on App Gateway should be trusted.
Make sure that neither the hostname for the Custom Probe nor the hostname for the Backend configuration (in that order) matches the Common Name of the backend server's certificate when you select the HTTPS protocol in the backend configuration. Refer
while using Custom Probe you can use the host field to specify the Common Name of the backend server certificate.
In the probe settings, you can select Pick hostname from backend setting if the Backend Setting has been configured with the same hostname.
At last, you have to pass the Custom certificate associated with your domain to the AKS Ingress Controller. The AKS Ingress Controller will validate the certificate against the domain specified in the certificate
- Azure Service Plan - Convert Consumption App to Premium App
- No PK or FK when exporting SQL Server database
- Assigning a Token Lifetime Policy to an application in Microsoft EntraID seems to have no effect
- How to create a dataset for Azure custom speech using spx (speechCLI)
- Azure App Service Autoscale Fails to Scale In
- Azure Scale Out on Memory keeps flapping (not scaling in)
- Setting a server minimum for Azure Web App when using automatic scaling, from Bicep
- A keyvault created with access policy using BICEP creates compound identity
- Azure Loadbalancer with public IP forward traffic to Container Apps
- How to grant a Managed Identity permissions to an Azure SQL Database using IaC?
- What means skipNegotiation in SignalR HubConnection?
- Azure ClientCertificateCredential - Using SNI
- Azure AI Search MultiIndex / Conditional Semantic search
- MSAL Node service & The Partner Center API
- Load Registered Component in Azure ML for Pipeline using Python sdk v2
- Azure Blob:- How to automate Azure Archive Storage to Cool/Hot tier conversion, send download link once it's avaible , and re-archive after 72 hours?
- Azure App Service Custom Backup to Firewall Enabled Storage Account not working as expected
- How to take max value and replace it in drived column in data factory
- Synapse/ ADF - How to Truncate table if dynamic config column is True in pre-copy script
- Azure Cost Management - track costs associated with Databricks job
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How to check Debug.Writeline() output in VS code?
- C# API - Provide download of files from Azure Blobstorage
- localhost:300/api is not working : "This page isn’t working"
- Creating an Azure Linux VM with Ubuntu 20.04 with Terraform
- Failed to deploy path that does not exist
- Using Azure WAF for my server(not in Azure)
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday