How to configure SSL on cloud service with traffic manager?

Question

I have a traffic manager pointing to a cloud service. Now I want to configure SSL on that system. How can I configure SSL on a cloud service with traffic manager?

Answer 1

Since Traffic Manager works at the DNS level, it doesn't see your application traffic, which can be configured to use either HTTP or HTTPS.

Traffic Manager health checks support HTTP or HTTPS, and you should update this setting accordingly. Also, don't forget to update the health check port (80 vs 443).

When using HTTPS health checks, Traffic Manager does not validate the server certificate, so there is no need to register the certificate with Traffic Manager.

Note that the HTTPS health checks do not support client SSL certificates and do not support SNI certificates.

More information here (including in FAQ).

Jonathan Tuliani, Program Manager, Azure Traffic Manager

Answer 2

You do that exactly the same way you would do it if no traffic manager was in place.

That is, you specify which certificate to use for your endpoint in your .cscfg file and upload that certificate to your service.

The fact that the service sits behind a traffic manager makes no difference because of the use of DNS CNAME records.

For example, say you want to use SSL with a DNS domain name called mydomain.com, you could have a CNAME record for www.mydomain.com point to mydomain.trafficmanager.net. mydomain.trafficmanager.net would in turn do its traffic management to point to mydomain-east-us.trafficmanager.net, mydomain-west-us.trafficmanager.net, or whichever other instances of your service you specified based on the traffic management rule you selected.

In this example, the SSL certificate you would provide to your service would be for *.mydomain.com.

Transparently, requests to www.mydomain.com would be DNS-translated as such:

www.mydomain.com ->
mydomain.trafficmanager.net ->
mydomain-[instance].trafficmanager.net