Walkthrough: Migrating from Azure Front Door to Cloudflare
With Sitecore Managed Cloud, you can use Azure Front Door or Cloudflare as your DNS server. If you are already using Azure Front Door, you can migrate to Cloudflare.
Before you migrate from Azure Front Door to Cloudflare, you must have a Cloudflare account with a DNS zone that is configured with an Enterprise Website plan.
Migration from Azure FrontDoor to Cloudflare is only available for Cloudflare DNS zones that use the old WAF Managed Rules. For more information about the different versions of Cloudflare WAF Managed Rules, see the Cloudflare documentation.
When you migrate to Cloudflare, you can expect a downtime of less than 30 minutes.
This walkthrough describes how to:
-
Add the appropriate secrets to Azure Key Vault
-
Modify your Application repository
-
Modify your infrastructure repository
-
Create additional pipelines
-
Update the DNS records
-
Migrate to Cloudflare
Add secrets to Azure Key Vault
To add secrets to Azure Key Vault:
-
In the
{infrastructure_id}kvt
key vault, add the following secrets and values:Secret name
Value
terraform-cloudflare-state-file-name
terraform-cloudflare.tfstate
cloudflare-zone-name
<The Cloudflare Zone (domain) name>
Modify the Application repository
To modify the Application repository:
-
In the Application repository for your solution, create a branch and add the Cloudflare role to the Ansible code. and then
-
Create a pull request to merge your code to the main branch.
This merge triggers the Application pipeline and updates the NGINX server configuration to accept traffic from Cloudflare.
-
In the
main.yml
file, update the ingress-access-restrictions role:RequestResponseshell- include_role: name: ingress-access-restrictions when: frontdoor_exists - include_role: name: ingress-access-restrictions-cloudflare - include_role: name: alerts
Modify the infrastructure repository
To modify the infrastructure repository:
-
Download the upgrade package for your MCC version and topology from the mcc-upgrades container of the mccsharedupgradestorage storage account.
-
Extract the archive.
-
Create a pull request with content from
modules/cloudflare/infrastructure
to the infrastructure repository.
Create additional pipelines
You must create a pipeline to deploy Cloudflare.
To create the Cloudflare pipeline:
-
On your organization’s page click Pipelines, New pipeline, Azure Repos Git, Infrastructure, and in the Configure your Pipeline section, select the Existing Azure Pipelines YAML file option.
-
In the right-hand pane, in the Branch field select main and in the Path field, select
pipelines/cloudflare.yaml
as the path and then click Continue.The pipeline is given the same name as the repository by default.
-
To change the name of the pipeline, click More actions, Rename and then change the name.
You must also create a pipeline that removes the old Azure Front Door pipeline.
-
To create the Destroy FrontDoor pipeline, repeat the previous procedure and select
pipelines/destroy-frontdoor.yaml
as the path.
Update the DNS records
You must also ensure that the following domains point to Cloudflare.
-
sitecore-cd-host-name
-
sitecore-cm-host-name
-
sitecore-id-host-name
-
grafana-host-name
The hostnames are listed in the {infrastructure_id}kvt
key vault.
Update the DNS record for each domain from, for example, <hostname>.example.com
to <hostname>.example.com.cdn.cloudflare.net
.
Migrate to Cloudflare
To migrate to Cloudflare:
-
Run the Cloudflare pipeline with the following parameters:
-
Cloudflare Email - your Cloudflare email address.
-
Cloudflare API key - the Cloudflare Global API key.
-
Cloudflare Account ID - the Cloudflare Account ID.
To find the account ID, on the Cloudflare homepage, click Workers, Overview and the ID is displayed in the right-hand pane.
-
Update site certificate - False.
-
-
When the pipeline has completed, validate the traffic that passes through Cloudflare and ensure that the websites are accessible.
-
To remove the old Azure Front Door pipeline, run the
Destroy FrontDoor
pipeline with the default parameters.