Azure Application Gateway SSL Limits

Evan J 1 Reputation point
2021-11-02T21:59:30.687+00:00

Hello,

I am developing a SaaS application and i would like to support custom domains on the said application. For example the app will live on app.example.com and customers will have their own domains on customerxyz.example.com that route back to app.example.com. I am going to start our the application small with azure application gateway and a couple of app service instances. I would like to allow customers to have their own custom domain, for example support.customer1.com which would cname to customer1.example.com -> to app.example.com. All of which is fine until SSL comes into play. I understand that app gateway can support 100 ssl certs and that limit can raised but that does not really solve the problem of renewing certs and such.

I am aware of SNI certificates my question is, can application gateway be used as a reverse proxy to an app service that can serve the proper cert based on the host name of the incoming call? I understand that nginx could do something like this is this plan feasible? The application is still in development and can pivot if I am going down the wrong path.

I also know that cloudflare has a hosted option for this. Which allows the certificates to be deployed out to their CDN. Can azure application gateway perform a similar task where I host the public portion of the certificate in a storage account and have the gateway look for the cert in the cdn with a rule? I understand that CDNs are global and Application Gateway is regional. If Application Gateway is the wrong product to use here I would appreciate any advise on which products to go for, front door, etc..

Thanks!

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
964 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. nicola.lacquaniti 1 Reputation point
    2021-11-10T15:03:20.807+00:00

    I got the same issue.
    I am migrating a stand alone multi-server web application of our own on azure, but our authentication system is historically by mutual authentication, and each customer of us has its own certificate, not owned by us.
    We got 1456 users, each with its own dongle certificate.
    I set up all the staff, the application gateway, the backend servers, the dns and so.
    Now I import the certificates, and boom! the bad news:

    Set-AzApplicationGateway : The number of Trusted Client certificates exceeds the maximum allowed value. The number of Trusted Client certificates is 542 and the maximum allowed
    is 100.
    At C:\certificaticompleti\importecert.ps1:23 char:1

    • Set-AzApplicationGateway -ApplicationGateway $appgw ;
    • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : CloseError: (:) [Set-AzApplicationGateway], CloudException
    • FullyQualifiedErrorId : Microsoft.Azure.Commands.Network.SetAzureApplicationGatewayCommand

    Is it possible that the full azure application gateway system is designed for a maximum of 100 users? Who can use it? Nobody wit a significand customer base, i think.
    I'm sure I'm missing something here: I can't believe I have to spend 3K a month for 100 users!
    Can somebody hint me on how to have a load balancer in front of a multi server backend witn more than 100 users?
    Thank you in advance for your help!