One of my requirements was to have a “zero-touch deployment”-capability. Meaning that I did not want to deploy a system where I had to manually change things to get it working.
High Level Blueprint
So how would a “poor man’s ssl termination on Azure” look? Basically I’m using Cloudflare as my DNS provider which then provides capabilities like CDN, various SSL options (like SSL Termination = Flexible SSL), WAF, etc. We can start with the free plan, where we can do a redirect to https and do SSL termination.
In addition, we’ll deploy an NSG (network security = basic azure firewall rule) that is configured to only allow the IP ranges from Cloudflare. This way we speak https on the outside world, and we have to accept that the traffic between Cloudflare and our hosts is unencrypted…
So what did I mock-up to get my issue resolved? I put “CloudFlare” in front of the service that was unable to speak SSL itself (Rancher). Why didn’t I deploy a WAF? In terms of a WAF deployment, I didn’t want the fuss of maintaining the platform underneath. In addition, those things don’t come cheap… Compared to my basic Rancher management layer, that would have been way too much overkill compared to the cost of the layer it was protecting.
I’ve been a Cloudflare customer for a while on my personal domains (and I do love their free plan!). So I looked into the possibility if such a setup would work.
What do we get out of this setup?
Basically when using the free tier, we get ;
- SSL Termination
- An additional DDoS protection layer
- A transparent CDN (which reduces our bandwidth costs at the Azure side)
Can we scale up?
- We can harden the traffic further by having adding an SSL termination at Azure side too. This has the disadvantages we mentioned earlier (cost & management), though the big plus is that this would remove our weak spot where the traffic is unencrypted between Cloudflare & Azure. For this, I would suggest to set the SSL options to “Strict“.
- Want a WAF deployment? No problem, scale up to a higher plan depending on your needs. With $20€ (or $200) per month, that is still a steal in my humble opinion…
How did I configure this? Let’s take a look at the technical parts!
On the side of Azure,, I added the CIDR blocks of Cloudflare to the Network Security Group ;
And I also linked a DNS name to my dynamic public IP address ;
On the Cloudflare side, I added a new DNS record pointing to the CNAME in Azure ;
And on SSL level I configured “Flexible” and “Automatic HTTPS Rewrites”
And now I’m able to ONLY access my Rancher management interface via HTTPS from the public internet!
- Cloudflare can be your “poor mans’s ssl terminator” for Azure
- The setup has a security weakness. Being that the traffic between Cloudflare & Azure is still unencrypted.
- Another weakness I’m pondering about is IPV6… So the NSG will need to be enhanced with the IPV6 ranges from Cloudflare.