azure
Is it possible to set multiple Domains to point to an Azure Application Gateway Public IP and then upload SSL Certificates for each one that can then Offload on the Application Gateway?
For example if we'd like to have 200 LetsEncrypt certificates uploaded and terminating at the gateway, then forwarding traffic onto the internal VM IPs
Baris is right! The SSL certificate configured on an IP:PORT binding (example: 100.74.156.187:443) always takes precedence in http.sys! So the solution is as follows:
Do not configure an IP:443 binding for your wildcard-fallback-certificate but configure a *:443 binding (* means "All Unassigned") for it.
If you have configured your wildcard certificate on the Azure Cloud Service SSL endpoint (as i have) you have to change the SSL binding created by the Azure Cloud Service Runtime (IISconfigurator.exe) from IP:PORT to *:PORT. I am calling the following method in OnStart of my web role:
public static void UnbindDefaultSslBindingFromIp()
{
Trace.TraceInformation(">> IISTenantManager: Unbind default SSL binding from IP");
using (var serverManager = new Microsoft.Web.Administration.ServerManager())
{
try
{
var websiteName = string.Format("{0}_Web", Microsoft.WindowsAzure.ServiceRuntime.RoleEnvironment.CurrentRoleInstance.Id);
var site = serverManager.Sites[websiteName];
var defaultSslBinding = site.Bindings.Single(b => b.IsIPPortHostBinding && b.Protocol == "https");
defaultSslBinding.BindingInformation = string.Format("*:{0}:", defaultSslBinding.EndPoint.Port);
serverManager.CommitChanges();
}
catch (Exception ex)
{
Trace.TraceError(ex.ToString());
}
}
}
The following screenshot shows a working configuration of our cloud service. Please don't be confused about the non-standard ports. The screenshot is from the emulated cloud service.
One further thing to mention: Do not change all bindings to * because the HTTP (port 80) binding only works with IP:PORT binding in the deployed cloud service. Something else is bind to IP:80 so *:80 does not work because * stands for "all unassigned" and the IP is already assigned somewhere else in http.sys.
Azure supports UCC/SAN SSL certificate. But as per your image, you have tried to purchase this type ssl certificate through Azure 'App Service Certificate' that's why you were unable to find UCC/SAN certificate option from it. So purchase it from trusted SSL provider.
If your all 15 domains are first level sub domains of the main domain then you can also secure them with wildcard ssl certificate. But if they are multi domains like abc.com, app.abc.net, login.xyz.biz, signup.abc.org then SAN SSL is the best option to go for.
As per your requirements:
If you got decent amount of revenue from older browsers Windows XP/IE then don't go for SNI. But SNI doesn't fully ignore IE web browser but some of its versions. Read more on SNI supports which browser and server.
As per your questions:
Best Answer
Application Gateway supports multi-site listeners, which can listen on a certain domain name and you can upload your certificates to each one of them. But the limit on the number of listeners is 100 as of now.
All the domain names that you have, can be CNAMEd to Application Gateway's FQDN and based on the hostname, you can create rules to specific backends.
See here for more info: https://docs.microsoft.com/en-us/azure/application-gateway/tutorial-multiple-sites-powershell