Walkthrough: Adding a domain for an existing role

Current version: 10.1

Sitecore has four publicly available endpoints: Content delivery, Content Management, Identity, and Grafana (metrics dashboard). You can use the same base domain name for all those roles and a wildcard certificate to cover all those domains. You can also use a different root domain for different roles or use a domain-specific certificate (not a wildcard certificate) for each endpoint. This walkthrough describes how to add a domain for a Sitecore endpoint.

Note

You must use Use CNAME DNS Hosting for Managed Cloud Containers.

This walkthrough describes how to:

  • Create and import the certificate

  • Migrate to the new domain

  • Assign the certificate to the Frontdoor frontend endpoint

  • Create the additional domain for an existing role

Create and import the certificate

If you want to use a domain-specific certificate for each endpoint, you must create and import a certificate.

To create and import a certificate:

  1. Prepare a domain-specific certificate (.pfx) for a new top-level domain. For example: .example.com.

  2. Upload the certificate to the Azure Key Vault certificates storage. For example: cd-example-com.

Migrate to the new domain

After you import the certificate, you must migrate to the new domain.

To migrate to the new domain:

  1. Update Key Vault secrets for the new domain. For example, the secret for CD is sitecore-cd-host-name.

  2. Configure DNS records for the new domain for a particular role. Add CNAME for your custom domains pointed to Azure Frontdoor: {infrastructure_id}fdr.azurefd.net.

    RequestResponse
    “cd.example.com“ with CNAME “mcc<…>fdr.azurefd.net“

Assign the certificate to the Frontdoor frontend endpoint

To assign the certificate to the Frontdoor frontend endpoint:

  1. Go to the Infrastructure repository and create a new branch.

  2. Update /frontdoor/main.tf with the new certificate:

    • Update the version of AzureRm to 2.64.0 or higher.

      RequestResponse
      
      azurerm
      = {
      
      source      =
      "hashicorp/azurerm"
      
            version     =
      "~> 2.64.0"
      
      }
    • If it exists, remove the deprecated property custom_https_provisioning_enabled:

      RequestResponse
      resource "azurerm_frontdoor" "this" {
        name                            				= local.frontdoor_name
        resource_group_name 				= var.resource_group_name
        enforce_backend_pools_certificate_name_check 	= false
        backend_pools_send_receive_timeout_seconds   	= 240
      
      .
      .
      .
      
        frontend_endpoint {
          name			= "${local.frontdoor_name}-endpoint"
          host_name			= "${local.frontdoor_name}.azurefd.net"
          custom_https_provisioning_enabled <<<<<< remove it
        }
    • Update the reference to Azure Key Vault:

      • azure_key_vault_certificate_secret_name - use the secret from Azure Key Vault.

      • azure_key_vault_certificate_secret_version - remove it. For example, for CD:

        RequestResponse
        resource "azurerm_frontdoor_custom_https_configuration" "cd_https_configuration" {
          frontend_endpoint_id = azurerm_frontdoor.this.frontend_endpoints["cd-frontend-endpoint"]
          custom_https_provisioning_enabled = true
        
          custom_https_configuration {
            certificate_source                         		= "AzureKeyVault"
            azure_key_vault_certificate_secret_name	= "cd-example-com"
            azure_key_vault_certificate_vault_id       	= data.azurerm_key_vault.this.id
          }
        
          depends_on = [azurerm_frontdoor.this]
    • Create a pull request.

  3. To apply the changes, contact Sitecore Support to remove the DNS record from the previous domain for a particular role.

  4. Run the Frontdoor pipeline.

  5. Run the Application pipeline.

  6. Run the Restart Pod pipeline with default parameters.

Create the additional domain for an existing role

To create a domain:

  1. Create a new branch for the feature.

  2. Configure DNS records for the new domain for a particular role. Add CNAME for your custom domains pointed to Azure Frontdoor: {infrastructure_id}fdr.azurefd.net.

  3. Update /frontdoor/main.tf with the new frontend endpoint.

  4. Assign routing rules:

    • Add cd-new-frontend to frontend endpoints:

      RequestResponse
      routing_rule {
          name               		= "HTTPS-cd"
          accepted_protocols 		= ["Https"]
          patterns_to_match  		= ["/*"]
          frontend_endpoints 	= ["cd-frontend-endpoint","cd-new-frontend"]
          forwarding_configuration {
            forwarding_protocol 	= "MatchRequest"
            backend_pool_name   	= "cd-ingress"
          }
        }
  5. Create and complete the pull request.

  6. Trigger the Frontdoor pipeline.

  7. Upload the certificate to Azure KeyVault.

  8. Create a new branch to assign the certificate with the domain.

  9. Add the new frontend endpoint to the HttpToHttps redirection rule:

    RequestResponse
    
    frontend_endpoints = ["cd-frontend-endpoint",
    "cm-frontend-endpoint", "id-frontend-endpoint",
    "grafana-frontend-endpoint", "cd-new-frontend"]
    
  10. Add the new resource into /frontdoor/main.tf:

    • Go to frontend_endpoint_id and add the name of the new frontend endpoint.

    • Go to azure_key_vault_certificate_secret_name and add the name of the certificate in Azure KeyVault.

      RequestResponse
      resource "azurerm_frontdoor_custom_https_configuration" "cd_https_configuration_new_domain" {
        frontend_endpoint_id              = azurerm_frontdoor.this.frontend_endpoints["cd-new-frontend"]
        custom_https_provisioning_enabled = true
      
        custom_https_configuration {
          certificate_source                         		= "AzureKeyVault"
          azure_key_vault_certificate_secret_name	= "cd-example-com"
          azure_key_vault_certificate_vault_id       	= data.azurerm_key_vault.this.id
        }
      
        depends_on = [azurerm_frontdoor.this]
      }
  11. Create and complete the pull request.

  12. Trigger the Frontdoor pipeline.

Do you have some feedback for us?

If you have suggestions for improving this article,