Recently I needed to implement Azure CDN for a client whose production website uses HTTPS and sits behind Azure Traffic Manager.
In this case, the client needed:
- A custom domain name
- Traffic to the custom domain to be encrypted using HTTPS
- The CDN to work regardless of the site that is live (on prem or in Azure)
- Traffic manager to balance traffic across DR/ASR sites
- The ability to test the CDN before cutting over the prod environment
To implement the CDN using HTTPS and Traffic Manager follow these steps:
Step 1: CDN Profile
- Select the right CDN for you (try my article here to help)
- Deploy the CDN Profile. This step is well documented so I wont cover it again here
Step 2: CDN Endpoint
Create a test CDN Endpoint
- Create a new CDN endpoint
- I wanted traffic to flow from the CDN to Traffic Manager and then on to the webservers. There isn’t much documentation about this configuration, but the Microsoft team assures me that this is a supported scenario.To do this, set the CDN profile origin type to custom and point it to the traffic manager URL
- Configure Compression, Geo Filtering, logging, Optimisation and Caching Rules as required
Step 3: Create a Test URL
- Create a CNAME record for domainname.com and point it to your CDN Endpoint
- Create a custom domain to associate the CNAME with your CDN endpoint
- Once the CNAME has propagated, you should be able to browse to:
- http://www.domainname.com to test your website with no CDN
- http://cdnverify.domainname.com to test your website with the CDN in place
Step 4: Enable HTTPS on the Test URL
Open the custom domain properties and turn on HTTPS
Things to note:
- This step took between 8-22 hours to complete every time I tested it. For the test URL that’s not a big problem but be prepared to come back in a few hours and continue the configuration.
- Because the DNS CNAME is configured to point to Azure, there’s nothing for you to do here but wait, no emails will be sent.
- If you’re using the Azure Standard CDN you can bring your own certificate, but I would suggest using the Azure provided SSL certificate which is fully managed and very easy to deploy.
- When the custom domain HTTPS page shows all green ticks, you should be able to browse to:
- https://www.domainname.com to test your website with no CDN
- https://cdnverify.domainname.com to test your website with the CDN & SSL in place
If you don’t care about a website outage or don’t use HTTPS, you can follow the same process for both the test and production cutovers.
If you use HTTPS and would like to avoid an outage for the production website, keep on reading.
Step 5: Do it Over in Prod
For the production website, I followed a slightly different path to avoid outages.
- Change your websites www record TTL to be 1 minute
- Confirm the email address that is listed on the whois record for that domain and make sure you have access to that mailbox
- Schedule a 10 minute website outage
- Edit the CNAME record for domainname.com and point it to your CDN Endpoint
- Create a custom domain to associate the WWW CNAME with your CDN endpoint
- Once the CNAME has propagated, you should be able to browse to: http://www.domainname.com to test your website with the CDN in place
- If your website uses HTTPS, this will cause an outage because the SSL certificate will not be in place and most browsers will block the user from proceeding
- In the Azure portal, enable HTTPS on the domainname.com custom domain
- To avoid an outage that can last between 6-22 hours, switch your WWW DNS record back to the original configuration
|www.domainname.com||CNAME||Original Location/Web Server IP|
- In 6-8 hours, a series of emails will be sent from email@example.com to the owners of the whois record. Click the link in each email to authorise the SSL request
- A few hours later, the Azure portal should show all green ticks.
- At this point the domain authentication is complete and you can edit the WWW DNS record, so it points to the CDN again
- Test by browsing to: https://www.domainname.com to test your website with the CDN & SSL in place