Walkthrough: Adding a domain for an existing role

Abstract

Learn how to add a custom domain.

Sitecore has four publicly available endpoints: Continuous delivery, Content Management, Identity, and Grafana (metrics dashboard). You can use the same base domain name for all those roles and a wildcard certificate to cover all those domains. You can also use a different root domain for different roles or use a domain-specific certificate (not a wildcard certificate) for each endpoint. This walkthrough describes how to add a domain for a Sitecore endpoint.

This walkthrough describes how to:

  • Create and import the certificate

  • Migrate to the new domain

  • Assign the certificate to the Frontdoor frontend endpoint

  • Create the additional domain for an existing role

If you want to use a domain-specific certificate for each endpoint, you must create and import a certificate.

To create and import a certificate:

  1. Prepare a domain-specific certificate (.pfx) for a new top-level domain. For example: .example.com.

  2. Upload the certificate to the Azure Key Vault certificates storage. For example: cd-example-com.

After you import the certificate, you must migrate to the new domain.

To migrate to the new domain:

  1. Update Key Vault secrets for the new domain. For example, the secret for CD is sitecore-cd-host-name.

  2. Configure DNS records for the new domain for a particular role. Add CNAME for your custom domains pointed to Azure Frontdoor: {infrastructure_id}fdr.azurefd.net.

    “cd.example.com“ with CNAME “mcc<…>fdr.azurefd.net“

To assign the certificate to the Frontdoor frontend endpoint:

  1. Go to the Infrastructure repository and create a new branch.

  2. Update /frontdoor/main.tf with the new certificate:

    • Update the version of AzureRm to 2.64.0 or higher.

      
      azurerm
      = {
      
      source      =
      "hashicorp/azurerm"
      
            version     =
      "~> 2.64.0"
      
      }
      
    • If it exists, remove the deprecated property custom_https_provisioning_enabled:

      resource "azurerm_frontdoor" "this" {
        name                            				= local.frontdoor_name
        resource_group_name 				= var.resource_group_name
        enforce_backend_pools_certificate_name_check 	= false
        backend_pools_send_receive_timeout_seconds   	= 240
      
      .
      .
      .
      
        frontend_endpoint {
          name			= "${local.frontdoor_name}-endpoint"
          host_name			= "${local.frontdoor_name}.azurefd.net"
          custom_https_provisioning_enabled <<<<<< remove it
        }
      
    • Update the reference to Azure Key Vault:

      • azure_key_vault_certificate_secret_name - use the secret from Azure Key Vault.

      • azure_key_vault_certificate_secret_version - remove it. For example, for CD:

        resource "azurerm_frontdoor_custom_https_configuration" "cd_https_configuration" {
          frontend_endpoint_id = azurerm_frontdoor.this.frontend_endpoints["cd-frontend-endpoint"]
          custom_https_provisioning_enabled = true
        
          custom_https_configuration {
            certificate_source                         		= "AzureKeyVault"
            azure_key_vault_certificate_secret_name	= "cd-example-com"
            azure_key_vault_certificate_vault_id       	= data.azurerm_key_vault.this.id
          }
        
          depends_on = [azurerm_frontdoor.this]
        
    • Create a pull request.

  3. To apply the changes, contact Sitecore Support to remove the DNS record from the previous domain for a particular role.

  4. Run the Frontdoor pipeline.

  5. Run the Application pipeline.

  6. Run the Restart Pod pipeline with default parameters.

Create the additional domain for an existing role

To create a domain:

  1. Create a new branch for the feature.

  2. Configure DNS records for the new domain for a particular role. Add CNAME for your custom domains pointed to Azure Frontdoor: {infrastructure_id}fdr.azurefd.net.

  3. Update /frontdoor/main.tf with the new frontend endpoint.

  4. Assign routing rules:

    • Add cd-new-frontend to frontend endpoints:

      routing_rule {
          name               		= "HTTPS-cd"
          accepted_protocols 		= ["Https"]
          patterns_to_match  		= ["/*"]
          frontend_endpoints 	= ["cd-frontend-endpoint","cd-new-frontend"]
          forwarding_configuration {
            forwarding_protocol 	= "MatchRequest"
            backend_pool_name   	= "cd-ingress"
          }
        }
      
  5. Create and complete the pull request.

  6. Trigger the Frontdoor pipeline.

  7. Upload the certificate to Azure KeyVault.

  8. Create a new branch to assign the certificate with the domain.

  9. Add the new frontend endpoint to the HttpToHttps redirection rule:

    
    frontend_endpoints = ["cd-frontend-endpoint",
    "cm-frontend-endpoint", "id-frontend-endpoint",
    "grafana-frontend-endpoint", "cd-new-frontend"]
    
    
  10. Add the new resource into /frontdoor/main.tf:

    • Go to frontend_endpoint_id and add the name of the new frontend endpoint.

    • Go to azure_key_vault_certificate_secret_name and add the name of the certificate in Azure KeyVault.

      resource "azurerm_frontdoor_custom_https_configuration" "cd_https_configuration_new_domain" {
        frontend_endpoint_id              = azurerm_frontdoor.this.frontend_endpoints["cd-new-frontend"]
        custom_https_provisioning_enabled = true
      
        custom_https_configuration {
          certificate_source                         		= "AzureKeyVault"
          azure_key_vault_certificate_secret_name	= "cd-example-com"
          azure_key_vault_certificate_vault_id       	= data.azurerm_key_vault.this.id
        }
      
        depends_on = [azurerm_frontdoor.this]
      }
      
  11. Create and complete the pull request.

  12. Trigger the Frontdoor pipeline.