SSL Termination for AI Endpoints with Azure NGINX

Question

Pulumi · Accepted Answer

When setting up SSL termination for AI endpoints using Azure NGINX, you generally want to establish a secure listener for incoming traffic, which then gets decrypted (SSL termination) so that your NGINX can process the requests in plaintext. This technique is commonly used for performance reasons and to centralize the SSL termination process for multiple services.

Since the Pulumi Registry Results suggest using Azure Front Door or Azure Application Gateway for SSL termination, I will create an example with Azure Front Door as it provides global load balancing capabilities with SSL termination.

In this Pulumi program, I will define the following resources:

1. **FrontDoor**: A resource that represents Azure Front Door itself. It enables you to define how traffic is routed to the backend pools and can be configured to terminate SSL at the routing level.

2. **BackendPool**: This is where you specify your AI endpoint. Front Door will forward the decrypted traffic to this endpoint after terminating the SSL.

3. **HealthProbeSettings**: Defines how Azure Front Door will probe the backend to ensure it is healthy and able to receive traffic.

4. **RoutingRule**: Determines how requests are forwarded to backend pools and potentially rewritten before they are sent to the backend.

5. **FrontendEndpoint**: For SSL termination, we define a custom domain and certificate to use with our Front Door instance.

Below is a Python program that uses Pulumi to create an Azure Front Door resource to route and terminate SSL for AI endpoints with NGINX on Azure.

```python
import pulumi
import pulumi_azure_native as azure_native

# Create an Azure resource group
resource_group = azure_native.resources.ResourceGroup('example-resources')

# Define the frontend endpoint with SSL settings (using Azure-managed certificates for simplicity)
fd_frontend_endpoint = azure_native.network.FrontendEndpoint(
    "fdFrontendEndpoint",
    resource_group_name=resource_group.name,
    front_door_name="example-frontdoor",
    name="exampleFrontendEndpoint",
    session_affinity_enabled_state="Disabled",
    session_affinity_ttl_seconds=0,
    web_application_firewall_policy_link=None,
    # Hosting your own domain, you would use 'CustomHttpsConfiguration' here with your certificate details
    custom_https_provisioning_state="Enabled",
    custom_https_configuration=azure_native.network.customHttpsConfigurationArgs(
        certificate_source="FrontDoor",
    ),
)

# Define the backend pool with your AI endpoint
fd_backend_pool = azure_native.network.BackendPool(
    "fdBackendPool",
    resource_group_name=resource_group.name,
    front_door_name="example-frontdoor",
    name="exampleBackendPool",
    backends=[azure_native.network.BackendArgs(
        address="nginxaiendpoint.example.com",  # Replace with your NGINX AI Endpoint domain
        http_port=80,
        https_port=443,
        enabled_state="Enabled",
        weight=50,
        priority=1,
    )],
)

# Define routing rules
fd_routing_rule = azure_native.network.RoutingRule(
    "fdRoutingRule",
    resource_group_name=resource_group.name,
    front_door_name="example-frontdoor",
    name="exampleRoutingRule",
    frontend_endpoints=[
       fd_frontend_endpoint.name,
    ],
    accepted_protocols=["Https"],
    patterns_to_match=["/*"],
    route_configuration=azure_native.network.ForwardingConfigurationArgs(
        forwarding_protocol="HttpsOnly",
        backend_pool=fd_backend_pool.id,
    ),
)

# Define health probe settings
fd_health_probe_settings = azure_native.network.HealthProbeSettingsModel(
    "fdHealthProbeSettings",
    resource_group_name=resource_group.name,
    front_door_name="example-frontdoor",
    name="exampleHealthProbeSettings",
    protocol="Https",
    path="/health",
    interval_in_seconds=30,
)

# Create the Front Door instance
front_door = azure_native.network.FrontDoor(
    "example-frontdoor",
    resource_group_name=resource_group.name,
    location="global",
    tags={
        "environment": "production",
    },
    backend_pools=[fd_backend_pool],
    health_probe_settings=[fd_health_probe_settings],
    routing_rules=[fd_routing_rule],
    frontend_endpoints=[fd_frontend_endpoint]
)

# Output the endpoint URL
pulumi.export('endpoint_url', fd_frontend_endpoint.host_name)
```

In this program, we have set up a simple Front Door service with default settings for illustration purposes. The backend endpoint should be replaced with your actual NGINX AI Endpoint. Health probe settings allow Front Door to check the health of your backend before sending traffic to it. Since we're using Azure-managed certificates in this example, `CustomHttpsConfigurationArgs` is set to source from `FrontDoor`.

Ensure that you have the necessary DNS setup for your domain and access to the SSL certificate required for the frontend endpoint. If you are hosting your domain and SSL certificate, update `CustomHttpsConfigurationArgs` accordingly. The program outputs the hostname for the frontend endpoint, which you can use to access your Front Door service over HTTPS.