Custom Domain and Certificates on AKS with App Gateway

I'm struggling to understand how all things need to be configured in the following scenario:

• custom domain registered by the client to be something like api.<appname>.dev.client.com
• managed service app certificate bought in Azure for the same domain (no wildcard, the client would like to avoid it)
• the front-end is hosted in a Azure Static Web App
• the back-end is hosted in AKS, served through an Application Gateway (the Ingress Controller being used in AKS is the traefik ingress controller)

So, I've applied another custom domain to the Static Web App (<appname>.dev.client.com), the certificate is not needed as it's created automatically by Azure. All good here.

Now I would like to understand how and what I need to configure for the Application Gateway and AKS to work properly with the new certificate and domain. At the moment I have:

• An HTTPS Listener in the App Gateway setup to use the host name: <appname>-dev.uksouth.cloudapp.azure.com. I guess this needs to be changed to api.<appname>.dev.client.com, correct? Also, it's this listener where I should apply the certificate stored in Key Vault (will use Terraform), right?
• A Public IP address currently configured with a DNS label of: <appname>-dev.uksouth.cloudapp.azure.com. I suppose I can keep this as it is, but put the CNAME record of <appname>-dev.uksouth.cloudapp.azure.com against my custom domain.
• The backend pool in the App Gateway is currently setup with backend target a FQDN being: aks-ingress.<appname>-dev.uksouth.cloudapp.azure.com which matches the private DNS zone that is linked to the AKS Ingress Controller IP address. Do I need to change this one?
• The backend setting for HTTPS requires a Root certificate, can I just check "Backend server’s certificate is issued by a well-known CA" to "Yes" or do I need to upload the root certificate of my certificate? Or can I even use a self-signed certificate?

In all of this, which certificate am I supposed to pass to the AKS ingress controller? The custom one tied to my domain? How is it going to validate it against my domain?

You can use HTTPS listener api.<appname>.dev.client.com as the host name so that application gateway listens for incoming requests on the custom domain and forward them to the appropriate backend pool of your AKS cluster.

You can apply the certificate stored in Key Vault using terraform or via portal like below:

• Yes, you need to configure a CNAME record for your custom domain api.<appname>.dev.client.com to point to <appname>-dev.uksouth.cloudapp.azure.com.

• The backend FQDN should be the hostname on which the application is available, and it should be reachable by the App Gateway. This FQDN should match the private DNS zone linked to the AKS Ingress Controller IP address.

• According to the type of certificate If your backend server's certificate is issued by a well-known Certificate Authority (CA), you can check the option Backend server’s certificate is issued by a well-known CA as Yes in the backend settings of the Application Gateway. Refer

You can also use a self-signed certificate You need to upload the root certificate of your certificate to the Application Gateway but the cert on App Gateway should be trusted.

Make sure that neither the hostname for the Custom Probe nor the hostname for the Backend configuration (in that order) matches the Common Name of the backend server's certificate when you select the HTTPS protocol in the backend configuration. Refer

while using Custom Probe you can use the host field to specify the Common Name of the backend server certificate.

In the probe settings, you can select Pick hostname from backend setting if the Backend Setting has been configured with the same hostname.

At last, you have to pass the Custom certificate associated with your domain to the AKS Ingress Controller. The AKS Ingress Controller will validate the certificate against the domain specified in the certificate