Duplicating Azure Application Gateway via ARM Template for DR

I’ve been working with a customer to design a DR solution in Azure for a small environment in Australia East consisting of database servers, web servers and an application gateway and requires a cost effective DR solution into Australia Southeast.

NOTE: This solution may not be suitable for everybody as it depends on the RPO/RTO requirements.

This particular customer has a pretty relaxed RTO requirement so the most cost effective method would be to provision the DR components using an Automation Account Runbook when DR failover is required. The focus of this article is just on the Azure Application Gateway as there were several quirks encountered when trying to duplicate it in the DR region.

As the customer already has an Azure Application Gateway already configured with all the backend pools, listeners, probes and rules configured, the quickest method without requiring knowledge of the web application would be to use the “Export template” option to create an ARM template with all the settings configured.

From there, just click on the “Download” button to download a zip file containing the template.json and parameters.json files.

To make the runbook easier, I changed the parameters in the template.json file into variables and hard-coded the variables into the ARM Template. After that, change the names of the App Gateway and references in the ARM template to point to the appropriate VNET and public IP resources in the DR region.

However, if you try to deploy the template now, it will fail with an error saying that the information for the SSL certificate is missing. Looking at the sslCertificate section of the ARM Template, the name attribute would be filled in with the name of the certificate from the existing Application Gateway but not any data relating to it.

Referencing Microsoft’s documentation on ARM Templates for Application Gateway at https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2018-08-01/applicationgateways#applicationgatewaysslcertificatepropertiesformat-object, the following fields are required.

You will need the original pfx certificate and password. Also, the pfx certificate would need to be encoded in Base-64.

What DID NOT work…. upon doing a quick google search, I found several articles saying to encode the pfx certificate in base-64 with the following commands (or something similar to it).

$pfxFileBytes = get-content $pfxFilePath -Encoding Byte
[System.Convert]::ToBase64String($pfxFileBytes) | Out-File 'PfxFileBytes-Base64.txt'

I then tried copying the text from the file into the ARM Template’s data section along with the password and attempted to deploy the Application Gateway. I didn’t receive any errors but the deployment was in “Updating” state for more than an hour before it timed out and failed. The error message didn’t help either.

However, it deployed the new Application Gateway and all settings but it seemed that it couldn’t apply the certificate data. I verified this by updating the certificate with the original pfx file via the Azure Portal and the error disappeared. This meant that the certificate data in the ARM Template was incorrect.

What WORKED… After much searching, I found the following article in GitHub (https://github.com/andrewatfornax/tech-articles/blob/master/azure-app-gateway-ssl-arm-template.md) which used Azure Key Vault to hold the certificate data. (Note: This is also another good method of deploying the Application Gateway although you would need to set up the Azure Key Vault to do so.)

Although this wasn’t the approach I was taking it did give me a way to obtain the base-64 encoded pfx string I needed.

az keyvault secret set --vault-name KEY_VAULT_NAME --encoding base64 --description text/plain --name CERT_SECRET_NAME --file certificate.pfx

You would need a subscription with an Azure Key Vault to run this so I used my own test subscription and ran this using the Azure Cloud Shell. After running this command, it will output the base-64 encoded string of the certificate which I then copied and pasted in the ARM Template.

Tested deployment of the Application Gateway using the updated ARM Template and the Application Gateway was successfully deployed with all its required settings and certificate.

For your reference, this the “sslCertificates” section of the ARM Template.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.