Azure Virtual Machines (Windows-based, for the sake of this post), come with only one public IP address in the standard out-of-box configurations.
This is ok for hosting multiple websites on a single VM, if they’re only running on HTTP (port 80) TLDR; use host header.
However, for using HTTPs, SSL restricts you to one public IP address per URL.
For instance: if you have two domain names abc123.com and xyz456.com and one IP address for your VM name: vm1 at IP 184.108.40.206 that uses cloud service name: cs1, you can only configure one of these domains to use HTTPs on your one Azure VM.
In order to configure both domains to use SSL (HTTPs) on your Azure VM, you would have to add another public IP address to your Azure VM, for instance, 220.127.116.11. But, Azure web portal does not allow additional public IP addresses (Virtual Machines-Dashboard-Look for Public Virtual IP Address) aka the IP address is assigned on creation with no graphical tools to add new public VIPs.
This issue plagued me for a while until I decided to confront it headlong with Azure Powershell. I came up with a set of repeatable steps based on current (as-of-original-post-date) Azure features and limitations.
Disclaimer: This post is essentially an adaptation of Azure’s official post on Configuring Multiple IPs for Load Balancing.
- Install azure powershell on your local Windows machine
- Start azure powershell by typing in the following term in the search box:
This will bring up a window similar to regular Powershell window.
- Type in the following command in Azure PowerShell:
This will pop-up a browser window. Use the Azure Management Portal email address and password to login in.
If successfull this will return on the Powershell window, valid results with the following fields: Id (your email address), Type (user), Subscriptions (guid), Tenants (guid)
- Download the Azure Publish Settings file from your Azure account using the following command on Azure Powershell:
This will open a browser window that shows the settings file being downloaded. Note the download file path, for instance: C:\Users\Downloads\-credentials.publishsettings
- Import the Azure Publish Settings into Azure Powershell using the downloaded file:
- Retrieve the Virtual IPs associated with your Cloud Service cs1 that hosts the Virtual Machine vm1:
(Get-AzureDeployment -ServiceName cs1).VirtualIPs
- This will return a list of VIPs used by the cloud service cs1:Address : 18.104.22.168
IsDnsProgrammed : True
Name : Vip1
Name : Vip2
Note: Vip1 is the default VIP for the service as evident by the IsDnsProgrammed variable being set to true for that VIP. Vip2 is assigned to the cloud service but doesn’t have a public IP associated with it. If you see additional unassigned VIPs it’s your choice on whether to create another VIP or use the existing unassigned one. For convenience sake, we will ignore existing ones moving forward in this post.
- Add a new virtual IP (say, Vip3) to cloud service cs1:
Add-AzureVirtualIP -VirtualIPName Vip3 -ServiceName cs1
This will give you a result with OperationDescription (command name), OperationId (guid) and OperationStatus (Succeeded, if it worked)
Note: At this point running the VIP list command (previous bullet) will return Vip3 with no public IP assigned to it
- Associate this Virtual IP to an endpoint on the virtual machine vm1:
Get-AzureVM -ServiceName cs1 -Name vm1 | Add-AzureEndpoint -Name https2 -Protocol tcp -LocalPort 444 -PublicPort 443 -VirtualIPName Vip3 | Update-AzureVM
Note: This operation creates a new public IP binds it to the Virtual IP of cloud service cs1 and binds port 443 of the public IP to port 444 of the VM under the name https2. This is essentially the 2nd SSL binding to this VM.
Note: At this point running the VIP list command (previous bullet) will return Vip3 with a public IP assigned to it, for instance, 22.214.171.124
- Important! In most cases, the additional port configuration won’t work unless you login to the Virtual Machine vm1 and open up port 444 in the firewall to allow incoming TCP traffic.
Additional Note: Configure DNS settings on your DNS host for both domain to use public IPs. This should be a straightforward process. Usually no additional setup is needed on that side for SSL to work.
Additional Note 2: Please see IP Address pricing for information on pricing on VIPs and reserved IPs.
Additional Note 3: Please excuse the “no illustrations” approach of this post.