Lesson Learned from building the Azure Let's Encrypt Site Extension
Global Azure Bootcamp 2019 - Copenhagen
Simon J.K. Pedersen
@simped / mail@sjkp.dk
Quick Intro
- Azure Web Apps
- Site Extensions
- SSL Certificates
- Let's Encrypt
How many uses Azure Web Apps - with a custom domain?
are you paying for your SSL certificate?
Why did I build it
personal challenge/learning oppotunity
Learnings
- Azure Web Apps behind the scenes
- Moving on from the site-extension approach (Functions and ACI)
- Using Key Vault and ARM templates
Azure Web Apps
- So many application frameworks are used
- Some people have massive deployments
- Web Jobs in site-extensions.....
- Server farms/app service plans and their location
- Not all scale units are created equal
- Deploy from ZIP/read-only disk
- KUDU API
- Traffic manager
Moving on
- Avoid support when people mess up the web job
- Avoid support when working with Service Principals
- Support other azure services
- Azure CDN
- Azure API Management
- Azure Functions
- Better security (KeyVault)Az
Attempt #1
- Make an API
- Host the API in the site-extension
- Let people call the API from Azure Functions/Logic Apps
- More trouble for the user
- Why even use site-extension
Attempt #2
- make a nuget
- let people do it themselves
- and some did ...
Attempt #3
- Wait for Microsoft to do it...
Attempt #4
- Found certes (https://github.com/fszlin/certes)
- Rewrite to .net core (so we can use Azure Function v2 and docker)
- Support wildcard
- Realize a lot of DNS providers are VERY slow at propagating DNS changes
- Use Managed Service Identity
- Use KeyVault
Demo Time
Architecture
KeyVault and ARM Templates
- Existing Resources (different resource groups)
- Azure DNS
- Azure Web App
- What we want to deploy
- KeyVault
- Azure Function (Storage Account & App Service Plan)
- Managed Service Identity
- App Settings
- Application Insights
- Role Assignments to Managed Service Identity
Managed Service Identity
Key Vault Access to MSI
Save secrets in Vault
Reference Secrets
Role Assignments
