Configure domain in Azure Spring Apps
Now that you have a self-signed certificate added to the Azure Key Vault instance, as a next step you will configure a public domain name in Azure Spring Apps using this self-signed certificate. You can use the following guidance to perform this task:
You will only create a custom domain for the api-gateway service. This is the only endpoint that you will expose externally.
Step by step guidance
-
To start, you need to provide Azure Spring Apps the permissions to read the certificate from Key Vault. To accomplish this, you first need to identify the URI to your Key Vault and the object ID of Spring Apps service.
VAULTURI=$(az keyvault show -n $KEYVAULT_NAME -g $RESOURCE_GROUP --query properties.vaultUri -o tsv) ASCDM_OID=$(az ad sp show --id 03b39d0f-4213-4864-a245-b1476ec03169 --query id --output tsv)The Guid used in the second statement refers to the
Azure Spring Cloud Domain-ManagementEnterprise Application in your Azure Active Directory. -
Once you have the Key Vault URI and the Spring Apps object ID, you can grant the permissions to access Key Vault certificates to the Spring Apps service:
az keyvault set-policy -g $RESOURCE_GROUP -n $KEYVAULT_NAME --object-id $ASCDM_OID --certificate-permissions get list --secret-permissions get list -
Next, configure TLS using the certificate.
CERT_NAME_IN_ASA=openlab-certificate az spring certificate add \ --resource-group $RESOURCE_GROUP \ --service $SPRING_APPS_SERVICE_VNET \ --name $CERT_NAME_IN_ASA \ --vault-certificate-name $CERT_NAME_IN_KV \ --vault-uri $VAULTURI -
To conclude this procedure, you need to bind the custom domain to the
api-gatewayapp.az spring app custom-domain bind \ --resource-group $RESOURCE_GROUP \ --service $SPRING_APPS_SERVICE_VNET \ --domain-name $DNS_NAME \ --certificate $CERT_NAME_IN_ASA \ --app api-gateway