Azure Traffic Manager SSL Setup (not classic)

8
votes

I have an Azure API App Service that I want to configure "priority" traffic management for (this is the new Traffic Manager, not classic). I have deployed the service to two separate Azure regions and configured a Traffic Manager instance to perform priority routing to the two service instances. The services have the following custom domain configurations:

foo1.mydomain.com

foo2.mydomain.com

I have A records for both subdomains pointing at the respective Azure App Service IP addresses.

I have also attached a wildcard cert to the services and everything works nicely if I navigate to https://foo1.mydomain.com or https://foo2.mydomain.com. Traffic manager endpoint monitoring shows both endpoints as being online and enabled.

Now, I want to have clients make requests to a vanity endpoint: foo.mydomain.com, which I have created a CNAME for. The CNAME is pointed at the traffic manager instance URL myapi.trafficmanager.net.

When I attempt to resolve the vanity URL using SSL/TLS, i.e., https://foo.mydomain.com, I get a certificate error, because traffic manager is attaching an *.azurewebsited.net certificate. If I attempt to resolve the vanity URL without SSL/TLS, i.e., http://foo.mydomain.com, I receive a 404 and "Web app not found" message. Again, resolving the individual endpoints explicitly returns a 200 as expected.

My question: How do I properly configure Azure Traffic Manager to do priority routing for two custom domain names using my SSL/TLS cert and a vanity URL?

Dig output for reference:

my-machine:~ jtw$ dig foo.mydomain.com

; <<>> DiG 9.8.3-P1 <<>> foo.mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4088
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;foo.mydomain.com.      IN  A

;; ANSWER SECTION:
foo.mydomain.com.   299 IN  CNAME   myapi.trafficmanager.net.
myapi.trafficmanager.net. 299 IN    CNAME   foo1.mydomain.com.
foo1.mydomain.com.  299 IN  A   192.168.1.1 //the actual IP of my first priority endpoint is returned here

;; Query time: 369 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jul  3 11:13:59 2016
;; MSG SIZE  rcvd: 112
4
azurehttpsdnsfailoverazure-traffic-manager

4 Answers

16
votes

Please see https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-how-it-works

Since Traffic Manager works at the DNS level, the certificate you are seeing (*.azurewebsites.net) must be coming from the App Service, not from Traffic Manager. You need to configure your App Service to use the correct SSL certificate.

I recommend that you try to get everything working without Traffic Manager, with your vanity domain foo.mydomain.com set up as a CNAME to one of your endpoints (foo1.mydomain.com). Then switch the CNAME to point to the other endpoint (foo2.mydomain.com) and again make sure everything works. Since any issues at this point can't involve Traffic Manager, that makes them easier to debug.

Once you have that working, then re-introduce Traffic Manager into the CNAME chain.

Regards,

Jonathan Tuliani, Program Manager, Azure Networking - DNS and Traffic Manager

3
votes

The vanity domain name needs to be assigned to each endpoint app service and the certificate needs to be bound to the individual endpoints i.e., foo1 and foo2 as well as the vanity endpoint. You need to bind the certificate to the vanity domain in all app services that are going to be used as endpoints.

The DNS configuration needs to be as follows:

An A record for each app service endpoint domain, pointing to the IP address assigned by Azure for the app service.

A CNAME pointing from the vanity domain to the *.trafficmanager.net domain.

1
votes

I came across this same issue and was able to finally resolve the problem after applying the following Azure and DNS configurations. The piece I was missing was registering foo.mydomain.com on each of the endpoints. The unique domain must be bound before the api domain otherwise the api domain governs.

Traffic Manager Endpoints
foo1.mydomain.com
foo2.mydomain.com

Endpoint 1 App Service SSL Bindings:
foo1.mydomain.com (Must Be Added First)
foo.mydomain.com

Endpoint 2 App Service SSL Bindings:
foo2.mydomain.com (Must Be Added First)
foo.mydomain.com

mydomain.com DNS Records
CNAME Host: foo, Value: myapi.trafficmanager.net
CNAME Host: foo1, Value: endpoint1.azurewebsites.net
CNAME Host: foo2, Value: endpoint2.azurewebsites.net
0
votes

Traffic Manager isn't attaching anything since it's not a web server, it's a just a smarter-than-your-average-bear name server.

Re-define your traffic manager endpoints as:

foo.domain.com
bar.domain.com

Instead of .azurewebsites.net domains.