3
votes

I'm trying to implement SSL offload in Azure Application Gateway as described in documentation: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-portal

It requires to upload existing SSL certificate in PFX format.

How can I generate it?

I assume it should be specific for the DNS name of the Application Gateway. I can see it has automatically generated DNS name in the associated appGatewayFrontendIP (Frontend IP configurations > Public > Public IP address), but I can't specify the DNS name I want.

Am I supposed to create a CNAME in my DNS domain for the Application Gateway and generate a certificate for this CNAME?

1
Think of it as being your webserver. What SSL certificate would you upload to your webserver? The one that matches your domain (example.com or example.local).evilSnobu

1 Answers

4
votes

Ivan, Application Gateway forwards the host header in the incoming client request to the backend servers. So in your case if you have a certificate for mydomain.com, you would upload that pfx for that certificate for application gateway to do the decrypt/re-encrypt, and yes you would need a CNAME record for mydomain.com pointing to .cloudapp.net which if your dynamically created dns name for your public IP address. In that case the correct host header would be sent to your backend servers.