9

我正在通过 ARM 模板部署 Azure Front Door,并尝试在自定义域上启用 HTTPS。

根据Front Door 的 Azure 文档,有一个快速入门模板可以“将自定义域添加到 Front Door 并使用通过 DigiCert 生成的 Front Door 托管证书为其启用 HTTPS 流量”。但是,虽然这会添加自定义域,但它不会启用 HTTPS。

查看 Front Door的ARM 模板参考,我看不到任何明显的启用 HTTPS 的方法,但也许我遗漏了什么?

尽管有以下附加信息,我希望能够通过 ARM 模板部署在 Front Door 自定义域上启用 HTTPS。这个时候有可能吗?

附加信息

请注意,有一个启用 HTTPS 的 REST 操作,但这似乎不适用于 Front Door 托管证书 -

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/frontDoors/{frontDoorName}/frontendEndpoints/{frontendEndpointName}/enableHttps?api-version=2019-05-01
{
    "certificateSource": "FrontDoor",
    "protocolType": "ServerNameIndication",
    "minimumTLSVersion": "1.2"
}

还有一个AzPowerShell cmdlet 可以启用 HTTP,它确实有效。

Enable-AzFrontDoorCustomDomainHttps -ResourceGroupName "lmk-bvt-accounts-front-door" -FrontDoorName "my-front-door" -FrontendEndpointName "my-front-door-rg"
4

4 回答 4

6

更新:这个实现目前似乎不稳定,只是间歇性地工作,这表明它可能还没有准备好生产。

在追踪最新的 Front Door API 2020-01-01

https://github.com/Azure/azure-rest-api-specs/tree/master/specification/frontdoor/resource-manager/Microsoft.Network/stable/2020-01-01

对象中有一个新customHttpsConfiguration属性frontendEndpoint properties

"customHttpsConfiguration": {
  "certificateSource": "AzureKeyVault" // or "FrontDoor",        
  "minimumTlsVersion":"1.2",
  "protocolType": "ServerNameIndication",

  // Depending on "certificateSource" you supply either:
  "keyVaultCertificateSourceParameters": {
    "secretName": "<secret name>",
    "secretVersion": "<secret version>",
    "vault": {
      "id": "<keyVault ResourceID>"
    }
  }

  // Or:
  "frontDoorCertificateSourceParameters": {
    "certificateType": "Dedicated"
  }
}

KeyVault 托管 SSL 证书示例

注意:我已经对此进行了测试,并且似乎可以正常工作。

    {
      "type": "Microsoft.Network/frontdoors",
      "apiVersion": "2020-01-01",
      "properties": {
        "frontendEndpoints": [
         {
            "name": "[variables('frontendEndpointName')]",
            "properties": {
              "hostName": "[variables('customDomain')]",
              "sessionAffinityEnabledState": "Enabled",
              "sessionAffinityTtlSeconds": 0,
              "webApplicationFirewallPolicyLink": {
                "id": "[variables('wafPolicyResourceId')]"
              },
              "resourceState": "Enabled",
              "customHttpsConfiguration": {
                "certificateSource": "AzureKeyVault",        
                "minimumTlsVersion":"1.2",
                "protocolType": "ServerNameIndication",
                "keyVaultCertificateSourceParameters": {
                  "secretName": "[parameters('certKeyVaultSecret')]",
                  "secretVersion": "[parameters('certKeyVaultSecretVersion')]",
                  "vault": {
                    "id": "[resourceId(parameters('certKeyVaultResourceGroupName'),'Microsoft.KeyVault/vaults',parameters('certKeyVaultName'))]"
                  }
                }
              }
            }
          }
        ],
        ...
      }
    }

Front Door 托管 SSL 证书示例

看起来您需要设置的 FrontDoor 托管证书:

注意:我没有测试过这个

    {
      "type": "Microsoft.Network/frontdoors",
      "apiVersion": "2020-01-01",
      "properties": {
        "frontendEndpoints": [
         {
            "name": "[variables('frontendEndpointName')]",
            "properties": {
              "hostName": "[variables('customDomain')]",
              "sessionAffinityEnabledState": "Enabled",
              "sessionAffinityTtlSeconds": 0,
              "webApplicationFirewallPolicyLink": {
                "id": "[variables('wafPolicyResourceId')]"
              },
              "resourceState": "Enabled",
              "customHttpsConfiguration": {
                "certificateSource": "FrontDoor",        
                "minimumTlsVersion":"1.2",
                "protocolType": "ServerNameIndication",
                "frontDoorCertificateSourceParameters": {
                  "certificateType": "Dedicated"
                }
              }
            }
          }
        ],
        ...
      }
    }
于 2020-04-08T11:23:49.103 回答
0

我设法让这个与 ARM 模板一起工作。以下链接向您展示了如何使用 Azure Front Door 作为证书源来执行此操作: https://github.com/Azure/azure-quickstart-templates/blob/master/101-front-door-custom-domain/azuredeploy。 json

我从中汲取灵感,从 Azure Key Vault 为自定义域部署证书。以下是我正在使用的 ARM 模板中的相关元素:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "hubName": {
            "type": "string",
            "metadata": {
                "description": "Name to assign to the hub. This name will prefix all resources contained in the hub."
            }
        },
        "frontdoorName": {
            "type": "string",
            "metadata": {
                "description": "Name to assign to the Frontdoor instance"
            }
        },
        "frontdoorCustomDomain": {
            "type": "string",
            "metadata": {
                "description": "The custom domain name to be applied to the provisioned Azure Frontdoor instance"
            }
        },
        "keyVaultCertificateName": {
            "type": "string",
            "metadata": {
                "description": "Name of the TLS certificate in the Azure KeyVault to be deployed to Azure Frontdoor for supporting TLS over a custom domain",
                "assumptions": [
                    "Azure KeyVault containing the TLS certificate is deployed to the same resource group as the resource group where Azure Frontdoor will be deployed to",
                    "Azure KeyVault name is the hub name followed by '-keyvault' (refer to variable 'keyVaultName' in this template)"
                ]
            }
        },
        ...
    },
    "variables": {
        "frontdoorName": "[concat(parameters('hubName'), '-', parameters('frontdoorName'))]",
        "frontdoorEndpointName": "[concat(variables('frontdoorName'), '-azurefd-net')]",
        "customDomainFrontdoorEndpointName": "[concat(variables('frontdoorName'), '-', replace(parameters('frontdoorCustomDomain'), '.', '-'))]",
        "keyVaultName": "[concat(parameters('hubName'), '-keyvault')]",
        "frontdoorHostName": "[concat(variables('frontdoorName'), '.azurefd.net')]",
        ...
    },
    "resources": [
        {
            "type": "Microsoft.Network/frontdoors",
            "apiVersion": "2020-05-01",
            "name": "[variables('frontdoorName')]",
            "location": "Global",
            "properties": {
                "resourceState": "Enabled",
                "backendPools": [...],
                "healthProbeSettings": [...],
                "frontendEndpoints": [
                    {
                        "id": "[concat(resourceId('Microsoft.Network/frontdoors', variables('frontdoorName')), concat('/FrontendEndpoints/', variables('frontdoorEndpointName')))]",
                        "name": "[variables('frontdoorEndpointName')]",
                        "properties": {
                            "hostName": "[variables('frontdoorHostName')]",
                            "sessionAffinityEnabledState": "Enabled",
                            "sessionAffinityTtlSeconds": 0,
                            "resourceState": "Enabled"
                        }
                    },
                    {
                        "id": "[concat(resourceId('Microsoft.Network/frontdoors', variables('frontdoorName')), concat('/FrontendEndpoints/', variables('customDomainFrontdoorEndpointName')))]",
                        "name": "[variables('customDomainFrontdoorEndpointName')]",
                        "properties": {
                            "hostName": "[parameters('frontdoorCustomDomain')]",
                            "sessionAffinityEnabledState": "Enabled",
                            "sessionAffinityTtlSeconds": 0,
                            "resourceState": "Enabled"
                        }
                    }
                ],
                "loadBalancingSettings": [...],
                "routingRules": [...],
                "backendPoolsSettings": {
                    "enforceCertificateNameCheck": "Enabled",
                    "sendRecvTimeoutSeconds": 30
                },
                "enabledState": "Enabled",
                "friendlyName": "[variables('frontdoorName')]"
            }
        },
        {
            "type": "Microsoft.Network/frontdoors/frontendEndpoints/customHttpsConfiguration",
            "apiVersion": "2020-07-01",
            "name": "[concat(variables('frontdoorName'), '/', variables('customDomainFrontdoorEndpointName'), '/default')]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/frontdoors', variables('frontdoorName'))]"
            ],
            "properties": {
                "protocolType": "ServerNameIndication",
                "certificateSource": "AzureKeyVault",
                "minimumTlsVersion": "1.2",
                "keyVaultCertificateSourceParameters": {
                    "secretName": "[parameters('keyVaultCertificateName')]",
                    "vault": {
                        "id": "[resourceId(resourceGroup().name, 'Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
                    }
                }
            }
        }
    ]
}
于 2021-05-18T05:56:45.040 回答
0

我能够使用Azure Management API成功进行enableHttps REST 调用。

我得到了成功的响应,并且可以在portal.azure.comresource.azure.com站点中看到资源结果。但是我很确定 Management API 和 PowerShell 方法是目前唯一支持的方法。由于证书和处理可能需要进行一些验证,因此他们尚未将其包含在 ARM 模板中。鉴于验证可能非常重要,最好先确认您的配置在 UI 中是可行的,然后再将其自动化(恕我直言)。

于 2019-10-07T07:46:22.690 回答
0

根据这个讨论,这似乎只能通过 REST API(参见例如这个答案)而不是(还)通过 ARM。

于 2021-01-29T08:05:00.147 回答