Walkthrough: Adding a domain for an existing role

Version:

Sitecore has four publicly available endpoints: Content delivery, Content Management, Identity, and Grafana (metrics dashboard). You can use the same base domain name for all those roles and a wildcard certificate to cover all those domains. You can also use a different root domain for different roles or use a domain-specific certificate (not a wildcard certificate) for each endpoint. This walkthrough describes how to add a domain for a Sitecore endpoint.

Note

You must use Use CNAME DNS Hosting for Managed Cloud Containers.

This walkthrough describes how to:

Create and import the certificate
Migrate to the new domain
Assign the certificate to the Frontdoor frontend endpoint
Create the additional domain for an existing role

Create and import the certificate

If you want to use a domain-specific certificate for each endpoint, you must create and import a certificate.

To create and import a certificate:

Prepare a domain-specific certificate (.pfx) for a new top-level domain. For example: .example.com.
Upload the certificate to the Azure Key Vault certificates storage. For example: cd-example-com.

Migrate to the new domain

After you import the certificate, you must migrate to the new domain.

To migrate to the new domain:

Update Key Vault secrets for the new domain. For example, the secret for CD is sitecore-cd-host-name.
Configure DNS records for the new domain for a particular role. Add CNAME for your custom domains pointed to Azure Frontdoor: {infrastructure_id}fdr.azurefd.net.
“cd.example.com“ with CNAME “mcc<…>fdr.azurefd.net“

Assign the certificate to the Frontdoor frontend endpoint

To assign the certificate to the Frontdoor frontend endpoint:

Go to the Infrastructure repository and create a new branch.

Update /frontdoor/main.tf with the new certificate:

Update the version of AzureRm to 2.64.0 or higher.


azurerm
= {

source      =
"hashicorp/azurerm"

      version     =
"~> 2.64.0"

}

If it exists, remove the deprecated property custom_https_provisioning_enabled:

resource "azurerm_frontdoor" "this" {
  name                            				= local.frontdoor_name
  resource_group_name 				= var.resource_group_name
  enforce_backend_pools_certificate_name_check 	= false
  backend_pools_send_receive_timeout_seconds   	= 240

.
.
.

  frontend_endpoint {
    name			= "${local.frontdoor_name}-endpoint"
    host_name			= "${local.frontdoor_name}.azurefd.net"
    custom_https_provisioning_enabled <<<<<< remove it
  }

Update the reference to Azure Key Vault:

azure_key_vault_certificate_secret_name - use the secret from Azure Key Vault.

azure_key_vault_certificate_secret_version - remove it. For example, for CD:

resource "azurerm_frontdoor_custom_https_configuration" "cd_https_configuration" {
  frontend_endpoint_id = azurerm_frontdoor.this.frontend_endpoints["cd-frontend-endpoint"]
  custom_https_provisioning_enabled = true

  custom_https_configuration {
    certificate_source                         		= "AzureKeyVault"
    azure_key_vault_certificate_secret_name	= "cd-example-com"
    azure_key_vault_certificate_vault_id       	= data.azurerm_key_vault.this.id
  }

  depends_on = [azurerm_frontdoor.this]

Create a pull request.

To apply the changes, contact Sitecore Support to remove the DNS record from the previous domain for a particular role.
Run the Frontdoor pipeline.
Run the Application pipeline.
Run the Restart Pod pipeline with default parameters.

Create the additional domain for an existing role

To create a domain:

Create a new branch for the feature.
Configure DNS records for the new domain for a particular role. Add CNAME for your custom domains pointed to Azure Frontdoor: {infrastructure_id}fdr.azurefd.net.
Update /frontdoor/main.tf with the new frontend endpoint.

Assign routing rules:

Add cd-new-frontend to frontend endpoints:

routing_rule {
    name               		= "HTTPS-cd"
    accepted_protocols 		= ["Https"]
    patterns_to_match  		= ["/*"]
    frontend_endpoints 	= ["cd-frontend-endpoint","cd-new-frontend"]
    forwarding_configuration {
      forwarding_protocol 	= "MatchRequest"
      backend_pool_name   	= "cd-ingress"
    }
  }

Create and complete the pull request.
Trigger the Frontdoor pipeline.
Upload the certificate to Azure KeyVault.
Create a new branch to assign the certificate with the domain.

Add the new frontend endpoint to the HttpToHttps redirection rule:


frontend_endpoints = ["cd-frontend-endpoint",
"cm-frontend-endpoint", "id-frontend-endpoint",
"grafana-frontend-endpoint", "cd-new-frontend"]

Add the new resource into /frontdoor/main.tf:

Go to frontend_endpoint_id and add the name of the new frontend endpoint.

Go to azure_key_vault_certificate_secret_name and add the name of the certificate in Azure KeyVault.

resource "azurerm_frontdoor_custom_https_configuration" "cd_https_configuration_new_domain" {
  frontend_endpoint_id              = azurerm_frontdoor.this.frontend_endpoints["cd-new-frontend"]
  custom_https_provisioning_enabled = true

  custom_https_configuration {
    certificate_source                         		= "AzureKeyVault"
    azure_key_vault_certificate_secret_name	= "cd-example-com"
    azure_key_vault_certificate_vault_id       	= data.azurerm_key_vault.this.id
  }

  depends_on = [azurerm_frontdoor.this]
}

Create and complete the pull request.
Trigger the Frontdoor pipeline.

If you have suggestions for improving this article, let us know!