Forum Discussion
one Traffic manager and multiple DNS mapping (pls need clarification on how security is ensured)
My first thought in reading your scenario is: don’t count on DNS for security. Here is my point; DNS is just a public record of pointers. Anyone could just as easily get to the site with the trafficmanager.net URL or, if a web server was hosted directly behind a public IP (like we did in the olden days), anyone could create an A record to point a domain to the IP. DNS is an old protocol that was not built with security in mind.
If you need to ensure that only users intending to get to www.prq.com get to your site, the best bet would be to add a certificate to trafficmanager for your custom hostname and enforce SSL. That way, if anyone tries to spoof the host (xyz.com) the user will get a certificate error.
If you need authentication, check out Azure AD App Proxy or Azure AD Application Gateway. You can put the site behind these products and force Azure AD authentication before the user accesses the web site.
@Travis Roberts Thanks for your inputs....but I couldn't find any option in Traffic Manager to SSL bind and restrict the traffic there itself. Am I missing anything?
I see we have SSL binding option only at - Application Gateway (HTTPS Listener) and WebApp.
In my case, I did SSL bind at AGW HTTPS listener by uploading PFX. We thought we will go with SSL off-loading at AGW, so I thought of not adding SSL again at WebApp.
Hope that's the right setup where there is
TM for routing requests in HA setup >
(followed by) App Gateway with WAF enabled (to apply security) & SSL off Load
(followed by) Azure WebApp to serve the request.
Not sure, at least why AGW is not blocking the connections as we did SSL bind at HTTPS listener.
Pls help!!
kirankumar_azurecloud925That sounds correct. The Cert is added to the proxy offload device or to the endpoints.
Good luck
