We have ~60 client apps, each with its own subdomain URL in a common domain, i.e. client1.domainname.com, client2.domainname.com... - all covered by a single wildcard SSL cert *.domainname.com. Currently hosted on-prem with a pair of LBs and 2 backend IIS nodes using host headers for subdomain URLs and cookie session affinity.
We need to migrate this environment to Azure and utilize Application Gateway. Unfortunately, AG has some drastic limitations https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits?toc=%2fazure%2fapplication-gateway%2ftoc.json#application-gateway-limits, namely:
1) HTTP Listeners 20
2) Number of sites 20 1 per HTTP Listeners
3) URL Maps per listener 1
Questions:
A) regarding #2, can wildcard domain *. domainname.com be treated as 1 site / used in Hostname property of Listener definition?
- if not, then does it mean I need to create 1 Listener per client, i.e. HTTPSListener1-> client1.domainname.com, HTTPSListener2->client2.domainname.com and so forth?
- if the answer is 'yes', can I use same wildcard cert *.domainname.com in SslCertificate property of multiple listeners while only changing Hostname field to be client (subdomain) specific?
- if true, that means, given 20 Listeners per AG limitation, I'd need to create 3 separate sets of AGs to fit my 60 subdomains meaning I'd incur unnecessary cost running additional AG pairs
B) there are only 2 backend nodes on-prem and we prefer the same in Azure for cost savings; my understanding is that multiple AG sets cannot point to the same backend VMs. Can a workaround for this be having multiple vNICs per VM and pointing to different AG sets, i.e. AG1 set->vNIC0 primary, AG2 set->vNIC1 secondary, AG3 set->vNIC2 secondary?
Sorry for loaded question but I'm hoping that others will find this post very useful as detailed information on this topic does not appear easily obtainable.
Listener example:
"httpListeners": [
{
"name": "appGatewayHttpsListener1",
"properties": {
"FrontendIPConfiguration": {
"Id": "/subscriptions/<subid>/resourceGroups/<rgName>/providers/Microsoft.Network/applicationGateways/applicationGateway1/frontendIPConfigurations/DefaultFrontendPublicIP"
},
"FrontendPort": {
"Id": "/subscriptions/<subid>/resourceGroups/<rgName>/providers/Microsoft.Network/applicationGateways/applicationGateway1/frontendPorts/appGatewayFrontendPort443'"
},
"Protocol": "Https",
"SslCertificate": {
"Id": "/subscriptions/<subid>/resourceGroups/<rgName>/providers/Microsoft.Network/applicationGateways/applicationGateway1/sslCertificates/appGatewaySslCert1'"
},
"HostName": "domainname.com" ,
"RequireServerNameIndication": "true"
}
},