How can we improve Azure Networking?

Application Gateway: Support wildcard hosts in listeners

Our product creates dynamic DNS zones for our customers, e.g. foo.z1.contoso.com, bar.z2.contoso.com, etc. We use Azure DNS for this. (Notice that we stripe our customer's domains across multiple zones (z1, z2), because Azure DNS has a max record count of 5000.)

So, to support this, we have a wildcard SSL certificate for each zone e.g. *.z1.contoso.com, *.z2.contoso.com.

In order to have Application Gateway provide SSL termintation for us, we obviously need to create Multi-site listeners for port 443. Unfortuantely, the 'Host' field on the Multi-site listener does not accept wildcard entries. Furthermore, specifying the host name 'z1.contoso.com' does not appear to cover all subdomains on z1.contoso.com.

So, in order to support this flow, we would be forced to to create a new Listener for *each* customer DNS zone we create. And as I'm sure you're aware, this is a **SLOW** operation, and presents scaling/throttling issues.

The inability to specify wildcards in the multi-site listener's Host field is preventing us from adopting Application Gateway.

703 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Steven shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

29 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Pedro Costa commented  ·   ·  Flag as inappropriate

    Yup, during R&D just stumbled upon this one myself, can't use Application Gateway until it's implemented.

  • iyerusad commented  ·   ·  Flag as inappropriate

    In the vein of wildcard for host name, I would ask for support of multiple host names per listener (ie. website.com and promowebsite.com). Creating individual listeners per hostname is wasteful and cludgy from a maintenance perspective given a scenario where you want multiple hostnames to direct to same configuration.

  • Ray commented  ·   ·  Flag as inappropriate

    I would suggest taking it a step further and allowing a catchall listener for HTTP. HTTPS would be a bit more complex as a catch all because of the need for a cert...

  • PD commented  ·   ·  Flag as inappropriate

    just came across this when searching answer for my env with multiple subdomains covered by single wildcard certificate.
    We need this feature added to Application Gateway ASAP in order to migrate to Azure

  • Anonymous commented  ·   ·  Flag as inappropriate

    We have a requirement were need to support wildcards on our primary domain. We need this feature implemented asap.

  • Anonymous commented  ·   ·  Flag as inappropriate

    We also need help with this. We use the SAN certificate in production which covers about 20 domains and sub domains. Creating a separate host entry for each is not ideal.

    Thank you

  • Steven commented  ·   ·  Flag as inappropriate

    The only other way we have found to support this is if we create a dedicated instance of Application Gateway for each product zone. E.g. z1-gateway, z2-gateway, etc. This is also seems like a waste of resources.

2 Next →

Feedback and Knowledge Base