locked
Configuring HTTPS on Azure CDN and a Kubernetes AKS Ingress service RRS feed

  • Question

  • Hello,

    We have an AKS cluster. We successfully added an Ingress service, and its IP is: 52.149.236.235. We want to:

    1. Add Azure CDN in front of it.

    2. The user to connect using a custom domain and HTTPS to Azure CDN.

    3. Azure CDN to terminate the SSL, use this Ingress as an Origin and communicate with it via HTTP.

    Here is what we tried so far:

    1. We created an Azure CDN profile: "dxptest.azureedge.net". We used Microsoft CDN, because our 'Free Trial' account doesn't allow anything else.

    2. We added as Origin the Ingress service (52.149.236.235). Here is the first odd thing: the only working option we found was to add it as "Custom Origin" and to type manually the IP address there. In all the other options it didn't appear. Is what we did the right approach?

    3. After adding the Ingress as a "Custom Origin", we added successfully a custom domain to the CDN Profile and generated a certificate. The custom domain is: "ppt.irinapeycheva.com". Connecting via HTTP to it works. However, we don't want this. We want to connect using HTTPS.

    4. In order to enable HTTPS, we clicked on the domain and switched "Custom domain HTTPS" to be "On". 

    5. Here is the issue: if we only select "HTTP" (i.e. if we say the CDN to connect to our origin via HTTP only), there is an error message: "In order to establish secure end-to-end communication over SSL, HTTPS must be allowed on your CDN endpoint.". If we enable it, the certificate generates successfully, and HTTP works, but HTTPS doesn't.

    To repeat what we want - we want the user to connect to the CDN via HTTPS, the CDN to terminate the SSL and communicate with the origin by using HTTP. 

    We thought that since Azure CDN issued and deployed a certificate for "ppt.irinapeycheva.com" successfully, that should be enough. However, it is seems it was not - the CDN insists HTTPS to be enabled on our Origin (the Ingress).

    Could you help with this?

    Also, this "end-to-end communication" is another topic, but I'm not sure how can we even do this? I understand it as we will have to add support for HTTPS from our Ingress. However, in order to do this, we also have to generate and provide certificate, correct? This would be odd.

    Could you help to clarify the above topics?

    Thanks,

    Iliyan Peychev

    <style type="text/css">p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Monaco; color: #f2f2f2; background-color: #10240b} span.s1 {font-variant-ligatures: no-common-ligatures} </style>
    Wednesday, February 26, 2020 10:15 PM

All replies

  • using a "Custom Origin" is the best way to configure azure CDN with an ingress controller. 

    Here is a great doc that outlines the full process to enable SSL for your custom domain. Keep in mind that SSL changes can take up to 8 hours to propigate. 

    Once you have HTTPS on your custom domain, disable HTTPS for your origin by selecting "origin" on the left menu, and unchecking "http".

    You will likely have an easier time using an Application Gateway or Azure Front Door for SSL Termination instead of a CDN. 

    Thursday, February 27, 2020 3:08 AM
  • Thanks for the answer!

    You said: "Once you have HTTPS on your custom domain, disable HTTPS for your origin by selecting "origin" on the left menu, and unchecking "http"." - you meant to uncheck "https", not "http", didn't you?

    If so, I did this, here is the configuration:

    Now http://ppt.irinapeycheva.com works fine, however the HTTPS doesn't. I get the following error:

    ```

    Our services aren't available right now

    We're working to restore all services as soon as possible. Please check back soon.

    099tXXgAAAAA5Kv9ihmLeR6IINb+2VntORlJBRURHRTEwMTMARWRnZQ==

    ```

    This error I suppose is generated by Azure CDN.

    This is the current Ingress configuration - I simplified it to the bare minimum:

    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      name: ui-ingress
      annotations:
        kubernetes.io/ingress.class: nginx
      namespace: default
    spec:
      backend:
        serviceName: ui-service
        servicePort: 80

    What am I doing wrong?

    Also, I think I have to give you some context. You said: "You will likely have an easier time using an Application Gateway or Azure Front Door for SSL Termination instead of a CDN."

    About that, two things:

    1. We don't want SSL termination only. We want caching, that's why we are trying to involve Azure CDN to the picture.

    2. My initial setup was:

      a) use Cert Manager and HTTP-01 challenge to generate certificate for the custom domain and to set TLS configuration inside the Ingress, since it provides an IP4 address (which is awesome, AWS for example doesn't do this).

      b) Then we wanted to add CDN functionality and caching. I didn't discover any way to enable it via Kubernetes YAML files. FYI, GCP has an easy way to do it - via "BackendConfig".

    That's why we went to this tough road to use Azure CDN and let it generate certificates, to add CNAME records in order to verify the domains, etc. It still doesn't work :/

    I would 100% more prefer to use CertManager, HTTP-01 challenge and to enable CDN functionality and caching via the YAML files. Is that possible with Azure? If not, do Application Gateway or Azure Front Door provide caching functionality too?

    Thursday, February 27, 2020 3:28 PM