How to add SSL to Azure Container Instance App?

8
votes

As the title says, I need to setup SSL for an app hosted in Azure Container Instances, however, I'm not quite sure where I need to start.

I have a containerized app hosted via Azure Container Instances at the address http://myApp.northamerica.azurecontainer.io. This address is masked by the 'official' address at http://api.myApp.com.

Is there any reason why I can't just add SSL to the superficial domain @ http://api.myApp.com, that redirects to the real domain @ http://myApp.northamerica.azurecontainer.io? Or do I need to add SSL to both domains?

Furthermore, if I need to secure both domains with SSL, do I need to get separate certificates for each?

Azure provides SSL cert services but I just need to know the best route to take. Thanks.

2
azuredockerssldnsazure-container-instances
were you able to setup SSL to your Azure Container instance? Can you provide any resources?Vishwasa Navada K
@VishwasNavadaK I ended up using Azure API Management, and adding a custom domain w/ preconfigured SSL on it. So all users of the app hit the custom domain @ Azure API Management, which then points to our backend API address. I contacted MS about this to see if there was another way of doing it, and they suggested setting up a VNET and doing it that way, but APIM was simpler. Hope this helps, let me know if you have more questions.snejame
@VishwasNavadaK Another way of doing it is to use Azure App Services for hosted Web Containers (I believe that's the offical name). You can go into the Azure Portal and setup a new hosted container inside the App Services section, just click "Create New" and deploy your container that way. It will give you an option to add a custom domain to your container directly.snejame

2 Answers

8
votes

As far as I know, currently, there is still no built-in support for enabling SSL on Azure Container Instances refer to this.

However, you could have multiple choices for enabling SSL connections for your ACI application.

If you deploy your container group in an Azure virtual network, you can consider other options to enable an SSL endpoint for a backend container instance, including:

The standard SSL certificate maps to a unique domain name, so you need separate certificates for each domain.

You can get started to set up Nginx as an SSL provider in a sidecar container and you need an SSL certificate for the domain api.myApp.com. If you want separate secure access with domain myApp.northamerica.azurecontainer.io, you could configure extra server block in the Nginx config file. Refer to configuring HTTPS server in Nginx.

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     www.example.com.crt;
    ssl_certificate_key www.example.com.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ...
}
10
votes

After going through the pain of researching around this, we finally figured how to use Caddy Docker image as sidecar to add SSL to Container Instances. Caddy makes it easy to auto renew and verify the ownership to issue SSL.

We wrote a blog post to help others who have same problem. Hope this helps.

https://www.antstack.io/blog/how-to-enable-tls-for-hasura-graphql-engine-in-azure-caddy/