There is no wildcard certificate for * .cloudapp.azure.com, for example, for * .azurewebsites.net. For SSL, you need to register your own domain and CNAME in your cluster domain (for example, mycluster.westus.cloudapp.azure.com) or get a static public IP address for your VIP load balancer and point your A record to that ( more about public Azure IPs here ). Then buy a certificate for this domain from your favorite CA.
Once you have the certificate, yes, you save it in Key Vault (make sure you set -EnabledForDeployment when creating your key store!) And put it in the ARM cluster template ( to install it on your nodes ).
To use HTTPS, first configure the cert link in ApplicationManifest.xml :
<Certificates> <EndpointCertificate X509FindValue="<Your Certificate Thumbprint>" Name="Cert1" /> </Certificates>
Then configure EndpointBindindPolicy in the ServiceManifestImport section of the application manifest :
<ServiceManifestImport> ... <Policies> <EndpointBindingPolicy EndpointRef="ServiceEndpoint" CertificateRef="Cert1" /> </Policies> </ServiceManifestImport>
Finally, refer to the certificate in your endpoint configuration in ServiceManifest.xml :
<Endpoints> <Endpoint Name="ServiceEndpoint" Type="Input" Protocol="https" Port="443" CertificateRef="Cert1"/> </Endpoints>
You can use the same certificate to protect your cluster and provide SSL to users, but I would recommend a different certificate so that you do not issue a server certificate to clients for cluster authentication.
EDIT: You can also use the Azure Application Gateway , which supports SSL offloading. He will then handle aspects of HTTPS and talk HTTP back to the cluster