Walkthrough: Adding a domain for an existing role
Sitecore has four publicly available endpoints: Content delivery, Content Management, Identity, and Grafana (metrics dashboard). You can use the same base domain name for all those roles and a wildcard certificate to cover all those domains. You can also use a different root domain for different roles or use a domain-specific certificate (not a wildcard certificate) for each endpoint. This walkthrough describes how to add a domain for a Sitecore endpoint.
You must use Use CNAME DNS Hosting for Managed Cloud Containers.
This walkthrough describes how to:
-
Create and import the certificate
-
Migrate to the new domain
-
Assign the certificate to the Frontdoor frontend endpoint
-
Create the additional domain for an existing role
Create and import the certificate
If you want to use a domain-specific certificate for each endpoint, you must create and import a certificate.
To create and import a certificate:
-
Prepare a domain-specific certificate (.pfx) for a new top-level domain. For example:
.example.com
. -
Upload the certificate to the Azure Key Vault certificates storage. For example:
cd-example-com
.
Migrate to the new domain
After you import the certificate, you must migrate to the new domain.
To migrate to the new domain:
-
Update Key Vault secrets for the new domain. For example, the secret for CD is
sitecore-cd-host-name
. -
Configure DNS records for the new domain for a particular role. Add CNAME for your custom domains pointed to Azure Frontdoor:
{infrastructure_id}fdr.azurefd.net
.RequestResponseshell“cd.example.com“ with CNAME “mcc<…>fdr.azurefd.net“
Assign the certificate to the Frontdoor frontend endpoint
To assign the certificate to the Frontdoor frontend endpoint:
-
Go to the Infrastructure repository and create a new branch.
-
Update
/frontdoor/main.tf
with the new certificate:-
Update the version of
AzureRm
to 2.64.0 or higher.RequestResponseshellazurerm = { source = "hashicorp/azurerm" version = "~> 2.64.0" }
-
If it exists, remove the deprecated property
custom_https_provisioning_enabled
:RequestResponseshellresource "azurerm_frontdoor" "this" { name = local.frontdoor_name resource_group_name = var.resource_group_name enforce_backend_pools_certificate_name_check = false backend_pools_send_receive_timeout_seconds = 240 . . . frontend_endpoint { name = "${local.frontdoor_name}-endpoint" host_name = "${local.frontdoor_name}.azurefd.net" custom_https_provisioning_enabled <<<<<< remove it }
-
Update the reference to Azure Key Vault:
-
azure_key_vault_certificate_secret_name
- use the secret from Azure Key Vault. -
azure_key_vault_certificate_secret_version
- remove it. For example, for CD:RequestResponseshellresource "azurerm_frontdoor_custom_https_configuration" "cd_https_configuration" { frontend_endpoint_id = azurerm_frontdoor.this.frontend_endpoints["cd-frontend-endpoint"] custom_https_provisioning_enabled = true custom_https_configuration { certificate_source = "AzureKeyVault" azure_key_vault_certificate_secret_name = "cd-example-com" azure_key_vault_certificate_vault_id = data.azurerm_key_vault.this.id } depends_on = [azurerm_frontdoor.this]
-
-
Create a pull request.
-
-
To apply the changes, contact Sitecore Support to remove the DNS record from the previous domain for a particular role.
-
Run the Frontdoor pipeline.
-
Run the Application pipeline.
-
Run the
Restart Pod
pipeline with default parameters.
Create the additional domain for an existing role
To create a domain:
-
Create a new branch for the feature.
-
Configure DNS records for the new domain for a particular role. Add CNAME for your custom domains pointed to Azure Frontdoor:
{infrastructure_id}fdr.azurefd.net
. -
Update
/frontdoor/main.tf
with the new frontend endpoint. -
Assign routing rules:
-
Add
cd-new-frontend
tofrontend endpoints
:RequestResponseshellrouting_rule { name = "HTTPS-cd" accepted_protocols = ["Https"] patterns_to_match = ["/*"] frontend_endpoints = ["cd-frontend-endpoint","cd-new-frontend"] forwarding_configuration { forwarding_protocol = "MatchRequest" backend_pool_name = "cd-ingress" } }
-
-
Create and complete the pull request.
-
Trigger the Frontdoor pipeline.
-
Upload the certificate to Azure KeyVault.
-
Create a new branch to assign the certificate with the domain.
-
Add the new frontend endpoint to the
HttpToHttps
redirection rule:RequestResponseshellfrontend_endpoints = ["cd-frontend-endpoint", "cm-frontend-endpoint", "id-frontend-endpoint", "grafana-frontend-endpoint", "cd-new-frontend"]
-
Add the new resource into
/frontdoor/main.tf
:-
Go to
frontend_endpoint_id
and add the name of the new frontend endpoint. -
Go to
azure_key_vault_certificate_secret_name
and add the name of the certificate in Azure KeyVault.RequestResponseshellresource "azurerm_frontdoor_custom_https_configuration" "cd_https_configuration_new_domain" { frontend_endpoint_id = azurerm_frontdoor.this.frontend_endpoints["cd-new-frontend"] custom_https_provisioning_enabled = true custom_https_configuration { certificate_source = "AzureKeyVault" azure_key_vault_certificate_secret_name = "cd-example-com" azure_key_vault_certificate_vault_id = data.azurerm_key_vault.this.id } depends_on = [azurerm_frontdoor.this] }
-
-
Create and complete the pull request.
-
Trigger the Frontdoor pipeline.