3

We have ~60 client apps, each with its own subdomain URL in a common domain, i.e. client1.domainname.com, client2.domainname.com... - all covered by a single wildcard SSL cert *.domainname.com. Currently hosted on-prem with a pair of LBs and 2 backend IIS nodes using host headers for subdomain URLs and cookie session affinity.

We need to migrate this environment to Azure and utilize Application Gateway. Unfortunately, AG has some drastic limitations https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits?toc=%2fazure%2fapplication-gateway%2ftoc.json#application-gateway-limits, namely:

1) HTTP Listeners   20
2) Number of sites  20  1 per HTTP Listeners
3) URL Maps per listener    1

Questions:

A) regarding #2, can wildcard domain *. domainname.com be treated as 1 site / used in Hostname property of Listener definition?

  • if not, then does it mean I need to create 1 Listener per client, i.e. HTTPSListener1-> client1.domainname.com, HTTPSListener2->client2.domainname.com and so forth?
    • if the answer is 'yes', can I use same wildcard cert *.domainname.com in SslCertificate property of multiple listeners while only changing Hostname field to be client (subdomain) specific?
      • if true, that means, given 20 Listeners per AG limitation, I'd need to create 3 separate sets of AGs to fit my 60 subdomains meaning I'd incur unnecessary cost running additional AG pairs

B) there are only 2 backend nodes on-prem and we prefer the same in Azure for cost savings; my understanding is that multiple AG sets cannot point to the same backend VMs. Can a workaround for this be having multiple vNICs per VM and pointing to different AG sets, i.e. AG1 set->vNIC0 primary, AG2 set->vNIC1 secondary, AG3 set->vNIC2 secondary?

Sorry for loaded question but I'm hoping that others will find this post very useful as detailed information on this topic does not appear easily obtainable.

Listener example:

"httpListeners": [
    {
        "name": "appGatewayHttpsListener1",
        "properties": {
            "FrontendIPConfiguration": {
                "Id": "/subscriptions/<subid>/resourceGroups/<rgName>/providers/Microsoft.Network/applicationGateways/applicationGateway1/frontendIPConfigurations/DefaultFrontendPublicIP"
            },
            "FrontendPort": {
                "Id": "/subscriptions/<subid>/resourceGroups/<rgName>/providers/Microsoft.Network/applicationGateways/applicationGateway1/frontendPorts/appGatewayFrontendPort443'"
            },
            "Protocol": "Https",
            "SslCertificate": {
                "Id": "/subscriptions/<subid>/resourceGroups/<rgName>/providers/Microsoft.Network/applicationGateways/applicationGateway1/sslCertificates/appGatewaySslCert1'"
            },
            "HostName": "domainname.com" ,
            "RequireServerNameIndication": "true"
        }
    },
P. D.
  • 71
  • 4
  • 1
    Just came across this post which implies wildcard SSL cannot be used in _Hostname_ property of AG listener. Sad! With that being said I still need answers on all of the questions posted above :-) – P. D. Nov 06 '17 at 02:29

1 Answers1

1

If I understand your question correctly, you are not REQUIRED to put a pathname for the listener. You can instead have a single global listener to cover your entire *.domain.com. Does that help?

Mat
  • 11
  • 1