Azure Traffic Manager SSL Setup (not classic)

JTW picture JTW · Jul 2, 2016 · Viewed 8.1k times · Source

I have an Azure API App Service that I want to configure "priority" traffic management for (this is the new Traffic Manager, not classic). I have deployed the service to two separate Azure regions and configured a Traffic Manager instance to perform priority routing to the two service instances. The services have the following custom domain configurations:

foo1.mydomain.com

foo2.mydomain.com

I have A records for both subdomains pointing at the respective Azure App Service IP addresses.

I have also attached a wildcard cert to the services and everything works nicely if I navigate to https://foo1.mydomain.com or https://foo2.mydomain.com. Traffic manager endpoint monitoring shows both endpoints as being online and enabled.

Now, I want to have clients make requests to a vanity endpoint: foo.mydomain.com, which I have created a CNAME for. The CNAME is pointed at the traffic manager instance URL myapi.trafficmanager.net.

When I attempt to resolve the vanity URL using SSL/TLS, i.e., https://foo.mydomain.com, I get a certificate error, because traffic manager is attaching an *.azurewebsited.net certificate. If I attempt to resolve the vanity URL without SSL/TLS, i.e., http://foo.mydomain.com, I receive a 404 and "Web app not found" message. Again, resolving the individual endpoints explicitly returns a 200 as expected.

My question: How do I properly configure Azure Traffic Manager to do priority routing for two custom domain names using my SSL/TLS cert and a vanity URL?

Dig output for reference:

my-machine:~ jtw$ dig foo.mydomain.com

; <<>> DiG 9.8.3-P1 <<>> foo.mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4088
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;foo.mydomain.com.      IN  A

;; ANSWER SECTION:
foo.mydomain.com.   299 IN  CNAME   myapi.trafficmanager.net.
myapi.trafficmanager.net. 299 IN    CNAME   foo1.mydomain.com.
foo1.mydomain.com.  299 IN  A   192.168.1.1 //the actual IP of my first priority endpoint is returned here

;; Query time: 369 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jul  3 11:13:59 2016
;; MSG SIZE  rcvd: 112

Answer

Jonathan Tuliani - MSFT picture Jonathan Tuliani - MSFT · Jul 4, 2016

Please see https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-how-it-works

Since Traffic Manager works at the DNS level, the certificate you are seeing (*.azurewebsites.net) must be coming from the App Service, not from Traffic Manager. You need to configure your App Service to use the correct SSL certificate.

I recommend that you try to get everything working without Traffic Manager, with your vanity domain foo.mydomain.com set up as a CNAME to one of your endpoints (foo1.mydomain.com). Then switch the CNAME to point to the other endpoint (foo2.mydomain.com) and again make sure everything works. Since any issues at this point can't involve Traffic Manager, that makes them easier to debug.

Once you have that working, then re-introduce Traffic Manager into the CNAME chain.

Regards,

Jonathan Tuliani, Program Manager, Azure Networking - DNS and Traffic Manager