Quick Intro

• Azure Web Apps
• Site Extensions
• SSL Certificates
• Let's Encrypt

How many uses Azure Web Apps - with a custom domain?

are you paying for your SSL certificate?

Why did I build it

personal challenge/learning oppotunity

Learnings

• Azure Web Apps behind the scenes
• Moving on from the site-extension approach (Functions and ACI)
• Using Key Vault and ARM templates

Azure Web Apps

• So many application frameworks are used
• Some people have massive deployments
• Web Jobs in site-extensions.....
• Server farms/app service plans and their location
• Not all scale units are created equal
• Deploy from ZIP/read-only disk
• KUDU API
• Traffic manager

Moving on

• Avoid support when people mess up the web job
• Avoid support when working with Service Principals
• Support other azure services
  • Azure CDN
  • Azure API Management
  • Azure Functions
• Better security (KeyVault)Az

Attempt #1

• Make an API
• Host the API in the site-extension
• Let people call the API from Azure Functions/Logic Apps

• More trouble for the user
• Why even use site-extension

Attempt #2

• make a nuget 
• let people do it themselves
• and some did ...

Attempt #3

• Wait for Microsoft to do it...

Attempt #4

• Found certes (https://github.com/fszlin/certes)
• Rewrite to .net core (so we can use Azure Function v2 and docker)
• Support wildcard
• Realize a lot of DNS providers are VERY slow at propagating DNS changes
• Use Managed Service Identity 
• Use KeyVault 

Demo Time

Architecture

KeyVault and ARM Templates

• Existing Resources (different resource groups)
  • Azure DNS
  • Azure Web App
• What we want to deploy
  • KeyVault
  • Azure Function (Storage Account & App Service Plan)
    • Managed Service Identity
    • App Settings
  • Application Insights
  • Role Assignments to Managed Service Identity

Managed Service Identity

Key Vault Access to MSI

Save secrets in Vault 

Reference Secrets

Role Assignments 

Link

https://github.com/sjkp/letsencrypt-azure