How can I add the PE FQDN as a SAN in certifiacte used by a service deployed on AKS Cluster that Front Door connects to using the PLS?

Kruti Joshi 0 Reputation points Microsoft Employee
2023-10-18T10:20:30.2666667+00:00

I have a service deployed on an AKS cluster with DNS name, say, 'service-dns'. We connect to this service via the Front Door. On Front Door, when I add this service to an origin group and say 'Enable PLS', a private endpoint automatically gets created. Using diagnostics, I was able to get the url (Private Endpoint) that the Front Door is calling.

For the certificate present in the service on AKS, I will need to add the Private Endpoint url as a SAN, correct? Or should we be using the DNS name of the service? Since the Front Door will use the private endpoint, I think it makes sense to add that url to the subject name.

On the OneCert portal where we register domain names for our services, I'm unable to add the Private Endpoint. It follows the pattern *.azureroxy.azureedge.net, and *.azureedge.net is already a registered domain, used by some other team. What subject name should I add to the certificate and how can I register that domain on OneCert for automatic cert renewal on the Azure KeyVault?

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
703 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
524 questions
{count} votes

1 answer

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 26,706 Reputation points Microsoft Employee
    2023-10-19T00:02:37.4066667+00:00

    @Kruti Joshi

    Thank you for reaching out.

    Based on your questions above.

    For the certificate present in the service on AKS, I will need to add the Private Endpoint url as a SAN, correct? Or should we be using the DNS name of the service? Since the Front Door will use the private endpoint, I think it makes sense to add that url to the subject name.

    You need to add the Host Name configured when you added your Origin to Azure Front Door in this step here. The host name is used for SNI (SSL negotiation) and should match your server-side certificate.

    Hope this helps! Please let me know if you have any additional questions. Thank you!


    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.