使用ARM模板部署在Azure Front Door自定义域上启用HTTPS

h7appiyu  于 2023-01-14  发布在  其他
关注(0)|答案(5)|浏览(94)

我正在通过ARM模板部署Azure前门,并尝试在自定义域上启用HTTPS。
根据Azure documentation for Front Door,有一个quick start template“添加一个自定义域到您的前门,并启用HTTPS流量,它与前门管理的证书通过DigiCert生成。”然而,虽然这添加了一个自定义域,它不启用HTTPS。
看看ARM template reference for Front Door,我看不到任何明显的方法来启用HTTPS,但也许我错过了什么?
除了下面的附加信息,我希望能够通过ARM模板部署在前门自定义域上启用HTTPS。现在可以吗?

附加信息

请注意,有一个REST operation to enable HTTPS,但它似乎不适用于Front Door托管证书-

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/frontDoors/{frontDoorName}/frontendEndpoints/{frontendEndpointName}/enableHttps?api-version=2019-05-01
{
    "certificateSource": "FrontDoor",
    "protocolType": "ServerNameIndication",
    "minimumTLSVersion": "1.2"
}

还有一个Az PowerShell cmdlet to enable HTTP,它确实工作。

Enable-AzFrontDoorCustomDomainHttps -ResourceGroupName "lmk-bvt-accounts-front-door" -FrontDoorName "my-front-door" -FrontendEndpointName "my-front-door-rg"
hsvhsicv

hsvhsicv1#

**更新:**此实现目前似乎不稳定,只能间歇性地工作,这表明它可能尚未准备好投入生产。

在追踪了最新的Front Door API(2020-01-01)规范(似乎还没有在MS参考网站上完全发布)之后,这在ARM模板上似乎是可能的:
https://github.com/Azure/azure-rest-api-specs/tree/master/specification/frontdoor/resource-manager/Microsoft.Network/stable/2020-01-01
frontendEndpointproperties对象中有一个新的customHttpsConfiguration属性:

"customHttpsConfiguration": {
  "certificateSource": "AzureKeyVault" // or "FrontDoor",        
  "minimumTlsVersion":"1.2",
  "protocolType": "ServerNameIndication",

  // Depending on "certificateSource" you supply either:
  "keyVaultCertificateSourceParameters": {
    "secretName": "<secret name>",
    "secretVersion": "<secret version>",
    "vault": {
      "id": "<keyVault ResourceID>"
    }
  }

  // Or:
  "frontDoorCertificateSourceParameters": {
    "certificateType": "Dedicated"
  }
}

KeyVault管理的SSL证书示例

注意:我已经测试过了,看起来可以工作。

{
      "type": "Microsoft.Network/frontdoors",
      "apiVersion": "2020-01-01",
      "properties": {
        "frontendEndpoints": [
         {
            "name": "[variables('frontendEndpointName')]",
            "properties": {
              "hostName": "[variables('customDomain')]",
              "sessionAffinityEnabledState": "Enabled",
              "sessionAffinityTtlSeconds": 0,
              "webApplicationFirewallPolicyLink": {
                "id": "[variables('wafPolicyResourceId')]"
              },
              "resourceState": "Enabled",
              "customHttpsConfiguration": {
                "certificateSource": "AzureKeyVault",        
                "minimumTlsVersion":"1.2",
                "protocolType": "ServerNameIndication",
                "keyVaultCertificateSourceParameters": {
                  "secretName": "[parameters('certKeyVaultSecret')]",
                  "secretVersion": "[parameters('certKeyVaultSecretVersion')]",
                  "vault": {
                    "id": "[resourceId(parameters('certKeyVaultResourceGroupName'),'Microsoft.KeyVault/vaults',parameters('certKeyVaultName'))]"
                  }
                }
              }
            }
          }
        ],
        ...
      }
    }

前门管理SSL证书示例

对于FrontDoor托管证书,您似乎需要设置:
注意:我尚未对此进行测试

{
      "type": "Microsoft.Network/frontdoors",
      "apiVersion": "2020-01-01",
      "properties": {
        "frontendEndpoints": [
         {
            "name": "[variables('frontendEndpointName')]",
            "properties": {
              "hostName": "[variables('customDomain')]",
              "sessionAffinityEnabledState": "Enabled",
              "sessionAffinityTtlSeconds": 0,
              "webApplicationFirewallPolicyLink": {
                "id": "[variables('wafPolicyResourceId')]"
              },
              "resourceState": "Enabled",
              "customHttpsConfiguration": {
                "certificateSource": "FrontDoor",        
                "minimumTlsVersion":"1.2",
                "protocolType": "ServerNameIndication",
                "frontDoorCertificateSourceParameters": {
                  "certificateType": "Dedicated"
                }
              }
            }
          }
        ],
        ...
      }
    }
bq9c1y66

bq9c1y662#

我能够使用Azure Management API成功地进行enableHttps REST调用。
我得到了一个成功的响应,可以在portal.azure.comresource.azure.com站点中看到资源结果。但是,我非常肯定管理API和PowerShell方法是目前唯一支持的方法。由于证书和处理可能需要一些验证,他们还没有将其包含在ARM模板中。鉴于验证可能非常重要,在自动化之前,最好先在UI中确认配置是否可用(恕我直言)。

ilmyapht

ilmyapht3#

根据this discussion,这似乎只能通过REST API(例如,参见this answer)实现,而不能通过ARM实现。

xzabzqsa

xzabzqsa4#

我设法让这个工作与ARM模板。下面的链接向您展示了如何做到这一点使用Azure前门作为证书源:https://github.com/Azure/azure-quickstart-templates/blob/master/101-front-door-custom-domain/azuredeploy.json
我从这一点得到灵感,为自定义域部署Azure Key Vault证书。以下是我正在使用的ARM模板中的相关元素:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "hubName": {
            "type": "string",
            "metadata": {
                "description": "Name to assign to the hub. This name will prefix all resources contained in the hub."
            }
        },
        "frontdoorName": {
            "type": "string",
            "metadata": {
                "description": "Name to assign to the Frontdoor instance"
            }
        },
        "frontdoorCustomDomain": {
            "type": "string",
            "metadata": {
                "description": "The custom domain name to be applied to the provisioned Azure Frontdoor instance"
            }
        },
        "keyVaultCertificateName": {
            "type": "string",
            "metadata": {
                "description": "Name of the TLS certificate in the Azure KeyVault to be deployed to Azure Frontdoor for supporting TLS over a custom domain",
                "assumptions": [
                    "Azure KeyVault containing the TLS certificate is deployed to the same resource group as the resource group where Azure Frontdoor will be deployed to",
                    "Azure KeyVault name is the hub name followed by '-keyvault' (refer to variable 'keyVaultName' in this template)"
                ]
            }
        },
        ...
    },
    "variables": {
        "frontdoorName": "[concat(parameters('hubName'), '-', parameters('frontdoorName'))]",
        "frontdoorEndpointName": "[concat(variables('frontdoorName'), '-azurefd-net')]",
        "customDomainFrontdoorEndpointName": "[concat(variables('frontdoorName'), '-', replace(parameters('frontdoorCustomDomain'), '.', '-'))]",
        "keyVaultName": "[concat(parameters('hubName'), '-keyvault')]",
        "frontdoorHostName": "[concat(variables('frontdoorName'), '.azurefd.net')]",
        ...
    },
    "resources": [
        {
            "type": "Microsoft.Network/frontdoors",
            "apiVersion": "2020-05-01",
            "name": "[variables('frontdoorName')]",
            "location": "Global",
            "properties": {
                "resourceState": "Enabled",
                "backendPools": [...],
                "healthProbeSettings": [...],
                "frontendEndpoints": [
                    {
                        "id": "[concat(resourceId('Microsoft.Network/frontdoors', variables('frontdoorName')), concat('/FrontendEndpoints/', variables('frontdoorEndpointName')))]",
                        "name": "[variables('frontdoorEndpointName')]",
                        "properties": {
                            "hostName": "[variables('frontdoorHostName')]",
                            "sessionAffinityEnabledState": "Enabled",
                            "sessionAffinityTtlSeconds": 0,
                            "resourceState": "Enabled"
                        }
                    },
                    {
                        "id": "[concat(resourceId('Microsoft.Network/frontdoors', variables('frontdoorName')), concat('/FrontendEndpoints/', variables('customDomainFrontdoorEndpointName')))]",
                        "name": "[variables('customDomainFrontdoorEndpointName')]",
                        "properties": {
                            "hostName": "[parameters('frontdoorCustomDomain')]",
                            "sessionAffinityEnabledState": "Enabled",
                            "sessionAffinityTtlSeconds": 0,
                            "resourceState": "Enabled"
                        }
                    }
                ],
                "loadBalancingSettings": [...],
                "routingRules": [...],
                "backendPoolsSettings": {
                    "enforceCertificateNameCheck": "Enabled",
                    "sendRecvTimeoutSeconds": 30
                },
                "enabledState": "Enabled",
                "friendlyName": "[variables('frontdoorName')]"
            }
        },
        {
            "type": "Microsoft.Network/frontdoors/frontendEndpoints/customHttpsConfiguration",
            "apiVersion": "2020-07-01",
            "name": "[concat(variables('frontdoorName'), '/', variables('customDomainFrontdoorEndpointName'), '/default')]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/frontdoors', variables('frontdoorName'))]"
            ],
            "properties": {
                "protocolType": "ServerNameIndication",
                "certificateSource": "AzureKeyVault",
                "minimumTlsVersion": "1.2",
                "keyVaultCertificateSourceParameters": {
                    "secretName": "[parameters('keyVaultCertificateName')]",
                    "vault": {
                        "id": "[resourceId(resourceGroup().name, 'Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
                    }
                }
            }
        }
    ]
}
b4qexyjb

b4qexyjb5#

Azure Front Door classic现在似乎同时支持托管证书和自定义域的自定义证书。至少微软的官方repo中有快速入门模板完全针对这些情况:

它们都使用前门的Microsoft.Network/frontdoors/frontendEndpoints/customHttpsConfiguration子资源,当前API版本为2020-07-01。但模板参考中仅记录了parent subresource
customHttpConfiguration资源的名称是“default”,因此当资源在模板中指定为顶级资源时,其完整名称类似于“myfrontdoorafd/www-example-com/default”。
使用Bicep(它转化为JSON ARM模板,我强烈推荐),模板的重要部分如下所示:

param frontDoorName string
param customDomainName string

var frontEndEndpointCustomName = replace(customDomainName, '.', '-')

resource frontDoor 'Microsoft.Network/frontDoors@2020-01-01' = {
  name: frontDoorName
  properties: {
    frontendEndpoints: [
      {
        name: frontEndEndpointCustomName
        properties: {
          hostName: customDomainName
          ...
        }
      }
      ...
    ]
    ...
  }
  ...
  
  resource frontendEndpoint 'frontendEndpoints' existing = {
    name: frontEndEndpointCustomName
  }
}

// This resource enables a Front Door-managed TLS certificate on the frontend.
resource customHttpsConfiguration 'Microsoft.Network/frontdoors/frontendEndpoints/customHttpsConfiguration@2020-07-01' = {
  parent: frontDoor::frontendEndpoint
  name: 'default'
  properties: {
    protocolType: 'ServerNameIndication'
    certificateSource: 'FrontDoor'
    frontDoorCertificateSourceParameters: {
      certificateType: 'Dedicated'
    }
    minimumTlsVersion: '1.2'
  }
}

请注意,在证书实际颁发并部署到所有存在点之前,部署将一直进行(PoP)。这可能需要很长时间,甚至会由于RequestTimeout而失败。如果你只想启动操作并让它异步完成,请在Azure CLI中使用enable-https子命令。即使在失败后,customHttpProvisioningState为“挂起”,证书供应过程可能成功完成。
另请注意,当您有许多前端终结点并且频繁发生更改但大多数前端终结点保持不变时,无法仅通过为多个前端终结点指定多个customHttpsConfiguration示例来泛化此模板中的模式。这样的泛化效率不高,而且可能会达到基础API的速率限制,因为即使终结点已经具有HTTPS配置,也会调用API。
在这种情况下,我可以使用嵌套模板和条件部署来部署customHttpConfiguration子资源,但前提是前端端点的属性customHttppsProvisioningState的值为Disabled。即使添加了一个新的前端端点(并且它应该获得一个托管证书),但即使在数十个前端端点的情况下,这也可以正常工作。即使在部署模式Complete下,应用一次的配置也会持续。

相关问题