How can I add the PE FQDN as a SAN in certifiacte used by a service deployed on AKS Cluster that Front Door connects to using the PLS?

Question

I have a service deployed on an AKS cluster with DNS name, say, 'service-dns'. We connect to this service via the Front Door. On Front Door, when I add this service to an origin group and say 'Enable PLS', a private endpoint automatically gets created. Using diagnostics, I was able to get the url (Private Endpoint) that the Front Door is calling.

For the certificate present in the service on AKS, I will need to add the Private Endpoint url as a SAN, correct? Or should we be using the DNS name of the service? Since the Front Door will use the private endpoint, I think it makes sense to add that url to the subject name.

On the OneCert portal where we register domain names for our services, I'm unable to add the Private Endpoint. It follows the pattern *.azureroxy.azureedge.net, and *.azureedge.net is already a registered domain, used by some other team. What subject name should I add to the certificate and how can I register that domain on OneCert for automatic cert renewal on the Azure KeyVault?

Answer 1

@Kruti Joshi

Thank you for reaching out.

Based on your questions above.

For the certificate present in the service on AKS, I will need to add the Private Endpoint url as a SAN, correct? Or should we be using the DNS name of the service? Since the Front Door will use the private endpoint, I think it makes sense to add that url to the subject name.

You need to add the Host Name configured when you added your Origin to Azure Front Door in this step here. The host name is used for SNI (SSL negotiation) and should match your server-side certificate.

Hope this helps! Please let me know if you have any additional questions. Thank you!

---

​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.