Configuring Azure Traffic Manager to work with HTTPS

1
votes

I created a Azure App Service, and it is accessible at http://foo.azurewebsites.net and https://foo.azurewebsites.net. I only use the HTTPS one, but haven't disabled the other (yet).

I then configure Traffic Manager, and add this as the sole endpoint (for now).

I execute my API via http://foo.trafficmanager.net and it works. But if I try and query against https://foo.trafficmanager.net, then I get an SSL error:

  • Via Powershell: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
  • Via Curl: curl: (51) SSL: no alternative certificate subject name matches target host name 'foo.trafficmanager.net'.

So, do I need a separate SSL certificate for use with TrafficManager? I'm using the default one that came with foo.azurewebsites.net, and that works fine out of the box.

3
azuresslazure-traffic-manager
Check this out: stackoverflow.com/a/40399500/4148708. In essence, you need a custom domain and a cert to cover it.evilSnobu

3 Answers

2
votes

Well, you don't get a TLS certificate for Traffic Manager. You would have to have a cert for it in the Web Apps themselves, and that's not really up to you.

Web Apps provide you with a cert for the *.azurewebsites.net domain, but with Traffic Manager you need to use a custom domain name + a TLS certificate for it installed in each Web App behind Traffic Manager.

1
votes

You can now use a free App Service Managed Certificate to make your Traffic Manager endpoint secure.

Step 1 - Create an App Service Managed certificate.
1. From the TLS/SSL settings menu item of your App Service, click on the Private Key Certificates tab.
2. In the right blade, it will automatically detect the traffic manager endpoint. Select that and click on create.

Step 2 Add a TLS/SSL binding
Now that we have our certificate, let’s add a binding so that it’s put to use.
1. Click on add TLS/SSL binding.
2. Select the traffic manager endpoint in the custom domain dropdown.
3. Select the newly created certificate in the thumbprint dropdown.
4. SIN SSL in the type dropdown.
5. Click on add binding.

Step 3 - Ensure that the domain now picks up the SSL
In the custom domains menu item of your App Service, you should see a secure SSL state for the traffic manager endpoint (it would have been a red cross previously) after you’ve completed the binding.

Note: Each certificate will be valid for six months, and about a month before the certificate’s expiration date, App Service will renew the certificate. [1]

Additional credits: Found this approach in the comments of this Azure feedback post. No PowerShell script required - everything can be done via the Azure portal.

0
votes

If you have a CDN between Traffic Manager and your app, you need some additional steps:

  1. Point Traffic Manager directly to your app (create a TM endpoint with a target of myappname.azurewebsites.net, temporarily bypassing the CDN). This will cause traffic manager to create a CNAME from its own url to your site's url, proving that you own the Traffic Manager subdomain and allowing Azure to validate it for your app in step 2.

  2. Add your mytfprofilename.trafficmanager.net url as a custom domain for you app. Azure won't let you do this unless step 1 is complete.

traffic manager custom domain in azure web app site configuration

  1. Add your custom domain to the CDN itself and create a cert. You can use your own cert or use an Azure-managed cert.

  2. Point traffic manager back to your CDN.