Reputation: 1
securing an endpoint using sub-domain (cert from godaddy, DNS resolution on AWS Route 53, app hosted on Azure Kubernetes Service
We have a static website hosted on AWS for a domain registered with Godaddy. We primarily use route53 for all DNS resolution for static website as well as office 365. We have recently developed a small app hosted on Azure Kubernetes Service. I have updated route53 accordingly on AWS and DNS Zone to use a subdomain xxx.abc.com to point to the AKS private IP. the app is accessible only through HTTP. we have got a wildcard cert to be able to use the cert for all sub domains. I have been exploring and It appears there is no option to use this TLS cert on route 53 as it is only doing DNS resolution.
I am quite new to Azure services. Can someone kindly advise on how to secure this endpoint using the cert.
I tried searching over internet and it seems ingress controller is the only way forward (reference links below). I am trying to see if there is any other way. https://learn.microsoft.com/en-us/azure/aks/ingress-tls?tabs=azure-cli https://snyk.io/blog/setting-up-ssl-tls-for-kubernetes-ingress/
Upvotes: 0
Views: 145
Answers (1)
Reputation: 12085
Indeed, Route53 is only a DNS service, doing the address translation, nothing to do with the ssl certificate.
For your need there are several components that need to fit together:
In Kubernetes the ingress controller is basically a load balancer routing external traffic to the pods.
On AKS, it is possible and recommended to configure the Application Gateway (the default Azure load balancer) as an ingress controller.
What you may be looking for is AGIC (Application Gateway Ingress controller). The article concerns about configuring the AGIC itself, not yet ssl (step-by-step)
Then you could search to configure a SSL cert the AGIC, I suggest to store the private key/certificate to the KeyVault
You could manager and configure the ingress controller and certificates directly on kubernetes worker nodes (less dependent on Azure iteself), but then you need to expose the worker nodes on public IP, manage their fixed IP addresses,... or having a separate load balancer server in front of a cluster. Using AGIC is considered much safer
Upvotes: 0
Related Questions
- Azure - DNS Hostname Resolution from App Service Plan using VNet Integration
- 403-Forbidden at ingress controller in AKS cluster
- delegating subdomain traffic from godaddy to route53
- How to use AWS Route 53 as the DNS service for a domain name without transferring that domain from the original registrar to Route 53 service?
- Can i use both DNS service for my domain name Godaddy and Route53?
- Kubernetes TLS Ingress route with cert-manager and SelfSigned ClusterIssuer not working
- Unable to create wildcard (*) Cert with Kubernetes and Letsencrypt using Azure DNS zone
- Set up multiple sub domain in aws route 53 to expose Kubernetes
- How to create subdomain on aws and point that from godaddy dns domain