Issue while adding custom domain to azure front door standard tier

Sarathi 0 Reputation points
2024-04-19T11:23:51.4333333+00:00

Hi All, Greetings!!!

As a part of a POC while trying to add a custom domain to the Azure front door standard tier, I created a certificate in azure key vault with the subject as the intended custom domain ("CN= <custom domain>"). CNAME record was been created in azure DNS pointing to the frontend url of the azure frontdoor standard tier. But, I am unable to populate the certificate of the key vault while creating the custom domain in azure front door. I have performed the following steps but still no luck

  1. Created an app registration and gave that service principal contributor role in subscription then added that service principal to azure key vault access polices to get and list secrets and certificates -- (The process we use to follow for classic front door)
  2. Added "micrsoft azure cdn - 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8" to access policy of key vault(Get and list secrets and certificates) as suggested by Microsoft
  3. Enabled and added the system assigned managed identity of the azure front door to the key vault access polices (Get and list secrets and certificates) .

Kindly assist on this as I observed a similar issue in a prod setup.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,120 questions
Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
599 questions
Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
576 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 3,801 Reputation points
    2024-04-20T14:49:40.6833333+00:00

    Hello Sarathi,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    Problem

    Sequel to your questions, I understand that you are facing difficulties adding a custom domain to Azure Front Door due to issues with accessing the certificate stored in Azure Key Vault. Despite correctly configuring permissions for both a service principal and a managed identity, they are unable to populate the certificate during the custom domain setup process. This issue has also been observed in a production environment, indicating a potential systemic problem.

    Scenarios

    You are tasked with integrating a custom domain into an Azure Front Door setup. You've created the necessary certificates in Azure Key Vault and configured permissions for both a service principal and a managed identity associated with Azure Front Door. However, when attempting to populate the certificate during the custom domain setup process, you encounter persistent issues. Despite following recommended troubleshooting steps and verifying permissions multiple times, the problem persists. Additionally, similar issues have been observed in a production environment, raising concerns about the overall reliability and effectiveness of the solution.

    Solution

    To address the issues encountered when adding a custom domain to Azure Front Door and to effectively troubleshoot and resolve the issue of accessing certificates stored in Azure Key Vault for Azure Front Door integration. While providing a generic answer below, you will need to:

    1. Provide error message if you're receiving any specific error messages or codes, they might provide clues about what's going wrong. Look for any logs or diagnostic information that can help pinpoint the issue.
    2. If you are sure that the permissions are properly configured, confirm the permissions assigned to the service principal and managed identity using Azure CLI command to check access policies for the Key Vault: 
         az keyvault show --name <keyvault-name> --query "properties.accessPolicies"
      Ensure that both the service principal and managed identity have the necessary permissions to access certificates and secrets in the Key Vault.
    3. Check Azure Key Vault diagnostic logs for any access-related errors. Especially, if you might need to adjust network restrictions or firewall rules if necessary to allow access from Azure Front Door. You might also need to consider temporarily granting broader permissions to identify if access restrictions are the root cause.
    4. You have made us to know that your Key Fault Configurations are correct but ensure you verify the properties of the certificate stored in Azure Key Vault by using Azure CLI command to list certificates in Key Vault: 
         az keyvault certificate list --vault-name <keyvault-name>
      This will help to affirm that the subject name of the certificate matches the custom domain intended for Azure Front Door.
    5. About production environment, you will need to collect detailed information about the issue encountered in the production environment, including any error messages or logs. Then, compare the configuration and permissions setup between the POC and production environments to identify any commonalities.

    Finally

    The above steps will be able to help addressing each aspect of the issues systematically, you should be able to know the issues and resolve the issues with adding a custom domain to Azure Front Door and accessing certificates stored in Azure Key Vault.

    References

    Kindly read more additional resources by the right side of this page.

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam

    0 comments