Walkthrough: Migrating from Azure Front Door to Cloudflare

Abstract

Migrate from Azure Front Door to Cloudflare.

With Sitecore Managed Cloud, you can use Azure Front Door or Cloudflare as your DNS server. If you are already using Azure Front Door, you can migrate to Cloudflare.

Important

Before you migrate from Azure Front Door to Cloudflare, you must have a Cloudflare account with a DNS zone that is configured with an Enterprise Website plan.

Migration from Azure FrontDoor to Cloudflare is only available for Cloudflare DNS zones that use the old WAF Managed Rules. For more information about the different versions of Cloudflare WAF Managed Rules, see the Cloudflare documentation.

When you migrate to Cloudflare, you can expect a downtime of less than 30 minutes.

This walkthrough describes how to:

  • Add the appropriate secrets to Azure Key Vault

  • Modify your Application repository

  • Modify your infrastructure repository

  • Create additional pipelines

  • Update the DNS records

  • Migrate to Cloudflare

To add secrets to Azure Key Vault:

  • In the {infrastructure_id}kvt key vault, add the following secrets and values:

    Secret name

    Value

    terraform-cloudflare-state-file-name

    terraform-cloudflare.tfstate

    cloudflare-zone-name

    <The Cloudflare Zone (domain) name>

To modify the Application repository:

  1. In the Application repository for your solution, create a branch and add the Cloudflare role to the Ansible code. and then

  2. Create a pull request to merge your code to the main branch.

    This merge triggers the Application pipeline and updates the NGINX server configuration to accept traffic from Cloudflare.

  3. In the main.yml file, update the ingress-access-restrictions role:

     - include_role:
         name: ingress-access-restrictions
      when: frontdoor_exists
     - include_role:
         name: ingress-access-restrictions-cloudflare
     - include_role:
         name: alerts
    

To modify the infrastructure repository:

  1. Download the upgrade package for your MCC version and topology from the mcc-upgrades container of the mccsharedupgradestorage storage account.

  2. Extract the archive.

  3. Create a pull request with content from modules/cloudflare/infrastructure to the infrastructure repository.

    Cloudflare infrastructure repository

You must create a pipeline to deploy Cloudflare.

To create the Cloudflare pipeline:

  1. On your organization’s page click Pipelines, New pipeline, Azure Repos Git, Infrastructure, and in the Configure your Pipeline section, select the Existing Azure Pipelines YAML file option.

  2. In the right-hand pane, in the Branch field select main and in the Path field, select pipelines/cloudflare.yaml as the path and then click Continue.

    The pipeline is given the same name as the repository by default.

  3. To change the name of the pipeline, click More actions, Rename and then change the name.

You must also create a pipeline that removes the old Azure Front Door pipeline.

  • To create the Destroy FrontDoor pipeline, repeat the previous procedure and select pipelines/destroy-frontdoor.yaml as the path.

You must also ensure that the following domains point to Cloudflare.

  • sitecore-cd-host-name

  • sitecore-cm-host-name

  • sitecore-id-host-name

  • grafana-host-name

The hostnames are listed in the {infrastructure_id}kvt key vault.

Update the DNS record for each domain from, for example, <hostname>.example.com to <hostname>.example.com.cdn.cloudflare.net.

To migrate to Cloudflare:

  1. Run the Cloudflare pipeline with the following parameters:

    • Cloudflare Email - your Cloudflare email address.

    • Cloudflare API key - the Cloudflare Global API key.

    • Cloudflare Account ID - the Cloudflare Account ID.

      To find the account ID, on the Cloudflare homepage, click Workers, Overview and the ID is displayed in the right-hand pane.

      Cloudflare workers overview with the account ID
    • Update site certificate - False.

  2. When the pipeline has completed, validate the traffic that passes through Cloudflare and ensure that the websites are accessible.

  3. To remove the old Azure Front Door pipeline, run the Destroy FrontDoor pipeline with the default parameters.