Insights

Jan 2019

Implementing Azure CDN for a Secure Production Website (that sits behind traffic manager)

Recently I needed to implement Azure CDN for a client whose production website uses HTTPS and sits behind Azure Traffic Manager.

In this case, the client needed:

 

The final environment looks like this
Figure 1 – High Level Traffic Flow

To implement the CDN using HTTPS and Traffic Manager follow these steps:

Step 1: CDN Profile

 

Step 2: CDN Endpoint

Create a test CDN Endpoint

  • Create a new CDN endpoint
  • I wanted traffic to flow from the CDN to Traffic Manager and then on to the webservers. There isn’t much documentation about this configuration, but the Microsoft team assures me that this is a supported scenario.To do this, set the CDN profile origin type to custom and point it to the traffic manager URL
  • Configure Compression, Geo Filtering, logging, Optimisation and Caching Rules as required

 

Step 3: Create a Test URL

 

 

SourceTypeDestination
cdnverify.domainname.comCNAMELabTestCDN.azureedge.net

 

  • Create a custom domain to associate the CNAME with your CDN endpoint
  • Once the CNAME has propagated, you should be able to browse to:
    • http://www.domainname.com to test your website with no CDN
    • http://cdnverify.domainname.com to test your website with the CDN in place

 

Step 4: Enable HTTPS on the Test URL

Open the custom domain properties and turn on HTTPS

Things to note:

  • This step took between 8-22 hours to complete every time I tested it. For the test URL that’s not a big problem but be prepared to come back in a few hours and continue the configuration.
  • Because the DNS CNAME is configured to point to Azure, there’s nothing for you to do here but wait, no emails will be sent.
  • If you’re using the Azure Standard CDN you can bring your own certificate, but I would suggest using the Azure provided SSL certificate which is fully managed and very easy to deploy.

  • When the custom domain HTTPS page shows all green ticks, you should be able to browse to:
    • https://www.domainname.com to test your website with no CDN
    • https://cdnverify.domainname.com to test your website with the CDN & SSL in place

 

If you don’t care about a website outage or don’t use HTTPS, you can follow the same process for both the test and production cutovers.

If you use HTTPS and would like to avoid an outage for the production website, keep on reading.

 

Step 5: Do it Over in Prod

For the production website, I followed a slightly different path to avoid outages.

  • Change your websites www record TTL to be 1 minute
  • Confirm the email address that is listed on the whois record for that domain and make sure you have access to that mailbox
  • Schedule a 10 minute website outage
  • Edit the CNAME record for domainname.com and point it to your CDN Endpoint
SourceTypeDestination
www.domainname.comCNAMELabTestCDN.azureedge.net

 

NB:

  • Once the CNAME has propagated, you should be able to browse to: http://www.domainname.com to test your website with the CDN in place
  • If your website uses HTTPS, this will cause an outage because the SSL certificate will not be in place and most browsers will block the user from proceeding
  • In the Azure portal, enable HTTPS on the domainname.com custom domain
  • To avoid an outage that can last between 6-22 hours, switch your WWW DNS record back to the original configuration
SourceTypeDestination
www.domainname.comCNAMEOriginal Location/Web Server IP

 

  • In 6-8 hours, a series of emails will be sent from admin@digicert.com to the owners of the whois record. Click the link in each email to authorise the SSL request
  • A few hours later, the Azure portal should show all green ticks.

  • At this point the domain authentication is complete and you can edit the WWW DNS record, so it points to the CDN again
SourceTypeDestination
www.domainname.comCNAMELabTestCDN.azureedge.net

 

  • Test by browsing to: https://www.domainname.com to test your website with the CDN & SSL in place

In the cloud world things change regularly. It’s worth checking the CDN product page for updates or voting for a feature request on the Azure CDN User Voice page.

 

 

Leave a Reply