Configuring Azure Front Door with Azure CLI issues
I am trying to create and configure Azure FrontDoor for an Azure WebApp, and I am not getting any good results.
Here is what am I trying to do:
- I Have a custom domain (
mydomain.com), which I am configuring in an Azure DNS Zone (mydomain.com). - I have an Azure WebApp (
myapp.azurewebsites.net), or rather I have three:myapp.azurewebsites.net,myapp-qa.azurewebsites.netandmyapp-dev.azurewebsites.net, for each environment. - I am trying to configure Azure FrontDoor, so it can accept all requests going through
mydomain.com(for now I am not adding any security features, like WAF etc, I just want to see it working first). - I would like to route all the requests as follows: all request going to
mydomain.comorwww.mydomain.comto go tomyapp.azurewebsites.net(PROD site); all request going toqa.mydomain.comto go tomyapp-qa.azurewebsites.net(QA site); all request going todev.mydomain.comto go tomyapp-dev.azurewebsites.net(DEV site). All unmatched go to PROD site.
HERE are the issues I am having (see script below for details):
- line
az afd custom-domain update -g "$RESOURCE_GROUP" --profile-name "$AZURE_FRONTDOOR_PROFILE_NAME" --name "$DOMAIN_NAME" --certificate-type ManagedCertificate --minimum-tls-version TLS12fails. All I am trying to do here is configure the custom domain to use the AFD certifiace, and TLS12. And maybe add things like Https only, convert all Htpp requests to Https etc. It fails with(BadRequest) Property 'AfdDomain.TlsSettings.Secret.Id' is required but it was not setwhich seems to be reserved for cases when a custom certificate is supplied. - The custom domains do not seem to been configured correctly.
It says always "Pending" and "Certificate needed" I was under the impression that added from an Azure DNS Zone, AFD does it own validation. - The routing does not work or configured correctly. For each url call like
mydomain.comorqa.mydomain.comordev.mydomain.comI get this error
I am not sure what am I doing wrong. Probably a few things. I searched deep and wide to find some documentation on how to do this but have come up empty.
Thanks in advance.
HERE isthe script I am using
#!/bin/bash
RESOURCE_GROUP="myresourcegroup"
CUSTOM_DOMAIN_NAME="mydomain.com"
#DNS parameters
ZONE_NAME="mydomain.com"
TTL=60
CNAME_TARGET="myazurefrontdoor-fd.azurefd.net"
#FrontDoor parameters
AZURE_FRONTDOOR_PROFILE_NAME="myazurefrontdoor-fd"
AZURE_FRONTDOOR_ENDPOINT_NAME="${CUSTOM_DOMAIN_NAME//./-}-endpoint"
AZURE_FRONTDOOR_ORIGIN_GROUP_NAME="${CUSTOM_DOMAIN_NAME//./-}-origin-group"
#App parameters
APP_NAME="myapp"
APP_URL_PROD="$APP_NAME.azurewebsites.net"
APP_URL_QA="$APP_NAME-qa.azurewebsites.net"
APP_URL_DEV="$APP_NAME-dev.azurewebsites.net"
# Create AFD profile
az afd profile create -g "$RESOURCE_GROUP" --name $AZURE_FRONTDOOR_PROFILE_NAME --sku Standard_AzureFrontDoor
#Create Azure DNZ Zone
#Name servers have been added manually at the domain provider
az network dns zone create -g "$RESOURCE_GROUP" --name $ZONE_NAME
# #################################################################
# This section creates the DNS records in the Azure DNS Zone
####################################################################
ENDPOINT_ID=$(az afd endpoint show -g "$RESOURCE_GROUP" --profile-name "$AZURE_FRONTDOOR_PROFILE_NAME" --endpoint-name "$AZURE_FRONTDOOR_ENDPOINT_NAME" --query "id" -o tsv)
if [ -z "$ENDPOINT_ID" ]; then
echo "Error: Could not retrieve the Endpoint ID. Please check if the endpoint exists."
exit 1
fi
az network dns record-set a create -g "$RESOURCE_GROUP" --zone-name "$ZONE_NAME" --name "@" --ttl "$TTL" --target-resource "$ENDPOINT_ID"
# az network dns record-set cname create -g "$RESOURCE_GROUP" --zone-name "$ZONE_NAME" --name "@" --ttl "$TTL"
# az network dns record-set cname set-record -g "$RESOURCE_GROUP" --zone-name "$ZONE_NAME" --record-set-name "@" --cname "$CNAME_TARGET"
az network dns record-set cname create -g "$RESOURCE_GROUP" --zone-name "$ZONE_NAME" --name "www" --ttl "$TTL" --target-resource "$ENDPOINT_ID"
az network dns record-set cname create -g "$RESOURCE_GROUP" --zone-name "$ZONE_NAME" --name "qa" --ttl "$TTL" --target-resource "$ENDPOINT_ID"
az network dns record-set cname create -g "$RESOURCE_GROUP" --zone-name "$ZONE_NAME" --name "dev" --ttl "$TTL" --target-resource "$ENDPOINT_ID"
az network dns record-set cname set-record -g "$RESOURCE_GROUP" --zone-name "$ZONE_NAME" --record-set-name "www" --cname "$CNAME_TARGET"
az network dns record-set cname set-record -g "$RESOURCE_GROUP" --zone-name "$ZONE_NAME" --record-set-name "qa" --cname "$CNAME_TARGET"
az network dns record-set cname set-record -g "$RESOURCE_GROUP" --zone-name "$ZONE_NAME" --record-set-name "dev" --cname "$CNAME_TARGET"
# #################################################################
# This section creates and configures Azuer Front Door
####################################################################
declare -A ORIGINS=(
["$CUSTOM_DOMAIN_NAME"]="$APP_URL_PROD"
["qa.$CUSTOM_DOMAIN_NAME"]="$APP_URL_QA"
["dev.$CUSTOM_DOMAIN_NAME"]="$APP_URL_DEV"
)
declare -A SUBDOMAINS=(
["$CUSTOM_DOMAIN_NAME"]="ManagedCertificate"
["qa.$CUSTOM_DOMAIN_NAME"]="ManagedCertificate"
["dev.$CUSTOM_DOMAIN_NAME"]="ManagedCertificate"
)
# Create endpoint
az afd endpoint create -g "$RESOURCE_GROUP" --profile-name "$AZURE_FRONTDOOR_PROFILE_NAME" --endpoint-name "$AZURE_FRONTDOOR_ENDPOINT_NAME" --enabled-state Enabled
# Create origin group
az afd origin-group create -g "$RESOURCE_GROUP" --profile-name "$AZURE_FRONTDOOR_PROFILE_NAME" --origin-group-name "$AZURE_FRONTDOOR_ORIGIN_GROUP_NAME" --sample-size 1 --successful-samples-required 1 --probe-path "/" --probe-protocol "Https" --probe-interval-in-seconds 30
# Create origins
for ORIGIN_NAME in "${!ORIGINS[@]}"; do
ORIGIN="${ORIGIN_NAME//./-}-origin"
az afd origin create -g "$RESOURCE_GROUP" --profile-name "$AZURE_FRONTDOOR_PROFILE_NAME" --origin-group-name "$AZURE_FRONTDOOR_ORIGIN_GROUP_NAME" --origin-name "$ORIGIN" --host-name "${ORIGINS[$ORIGIN_NAME]}"
done
# Get DNS Zone ID dynamically
DNS_ZONE_ID=$(az network dns zone show -g "$RESOURCE_GROUP" --name "$CUSTOM_DOMAIN_NAME" --query id --output tsv)
# Create and update custom domains with HTTPS
for DOMAIN in "${!SUBDOMAINS[@]}"; do
DOMAIN_NAME="${DOMAIN//./-}-domain"
az afd custom-domain create -g "$RESOURCE_GROUP" --profile-name "$AZURE_FRONTDOOR_PROFILE_NAME" --name "$DOMAIN_NAME" --host-name "$DOMAIN" --azure-dns-zone "$DNS_ZONE_ID"
# >>> THIS LINE FAILS: (BadRequest) Property 'AfdDomain.TlsSettings.Secret.Id' is required but it was not set
#az afd custom-domain update -g "$RESOURCE_GROUP" --profile-name "$AZURE_FRONTDOOR_PROFILE_NAME" --name "$DOMAIN_NAME" --certificate-type ManagedCertificate --minimum-tls-version TLS12
done
# Create route rules dynamically
declare -A ROUTES=(
["root"]="/"
["www"]="/www"
["qa"]="/qa"
["dev"]="/dev"
)
for ROUTE_NAME in "${!ROUTES[@]}"; do
if [[ "$ROUTE_NAME" == "root" || "$ROUTE_NAME" == "www" ]]; then
CUSTOM_DOMAIN="${CUSTOM_DOMAIN_NAME//./-}-domain"
elif [[ "$ROUTE_NAME" == "qa" ]]; then
CUSTOM_DOMAIN="qa-${CUSTOM_DOMAIN_NAME//./-}-domain"
elif [[ "$ROUTE_NAME" == "dev" ]]; then
CUSTOM_DOMAIN="dev-${CUSTOM_DOMAIN_NAME//./-}-domain"
fi
az afd route create -g "$RESOURCE_GROUP" --profile-name "$AZURE_FRONTDOOR_PROFILE_NAME" --endpoint-name "$AZURE_FRONTDOOR_ENDPOINT_NAME" --route-name "$ROUTE_NAME" --origin-group "$AZURE_FRONTDOOR_ORIGIN_GROUP_NAME" --custom-domains "$CUSTOM_DOMAIN" --patterns-to-match "${ROUTES[$ROUTE_NAME]}"
done
Solution
As detailed in this MS Doc, if you are using AFD Managed certificates it will validate the domain automatically with the help of a DNS Zone and provision a certificate accordingly. Sometimes, it also takes a good amount of time than expected to move from pending to successful state. You can keep on check the status under the Custom domains section of the AFD profile settings.
So, it means that you can remove the afd update command from the script under loops. After checking all these and keeping everything same as your code but removed the below line helped me to perform it successfully.
az afd custom-domain update -g "$RESOURCE_GROUP" --profile-name "$AZURE_FRONTDOOR_PROFILE_NAME" --name "$DOMAIN_NAME" --certificate-type ManagedCertificate --minimum-tls-version TLS12
Also, check the route patterns again and make sure that all requests to the specific used domains matches the route patterns properly without any conflict.
Note: Try upgrading the AFD profile to the premium if you are using a standard one to avoid conflicts.
- Azure CLI Never Ending task
- Github Action to deploy to Azure fails (no changes made) - "Containerapp does not exist"
- Configuring Azure Front Door with Azure CLI issues
- Get-AzApplicationInsights is not recognized
- No such file or directory: '/home/vsts/work/_temp/.azclitask/bin/bicep' when doing az deployment mg in an Azure DevOps pipeline
- Cannot assign Azure Role for cosmos db
- why az login stopped using browser and now uses "email and accounts". How to revert it?
- Cannot update Azure DevOps wiki from pipeline
- "az webapp identity assign" command throws LinkedInvalidPropertyId
- Az CLI: Cannot run pipeline with runtime parameters
- Can the default error color be changed in Python?
- Updating web redirect uri of Azure AD app registration
- Size of Azure Storage Account inconsistent in CLI and Azure Portal
- Pass CLI command output into Terraform for_each expression
- How can i list the different instances of a Azure app service and restart an instance?
- How to get the Resource Group ID with Azure CLI?
- How to get a list of files in an Azure blob storage with "az" command line tool?
- How to get Role Definition using Azure CLI
- How can you toggle an azure storage account Networking from Enabled to Enabled Selected Networks via Azure CLI?
- Getting error when running az extension add --name serviceconnector-passwordless
- Service Principal az cli login failing - NO subscriptions found
- Use same GUID in bicep templates and Azure Portal
- Azure FunctionApps list not returning functions
- az mysql flexible-server create writes password in the logs
- az mysql flexible-server show returns null
- az mysql flexible-server create creates server that cannot connect into
- Azure cli to filter Instances using tags
- Cannot run Azure CLI task on yaml build
- Creating multiple function apps with one Flex Consumption plan
- Unable to use Azure Developer CLI (azd) in vsCode even after extensions installed