z Using a custom domain
This is for TRE Developers only, there's nothing for TRE Users on this page.
The SDE as deployed in Azure will have a URL in the cloudapp.azure.com domain. To use a custom domain, e.g. sde.bartshealth.nhs.uk, there are a few steps to go through:
- Add redirects for your custom domain.
- Obtain an SSL certificate for your domain.
- provide a DNS CNAME entry from the host domain to the hostname in Azure.
- upload the certificate to the SDE in Azure.
- configure the Application Gateway to use the certificate.
There will be documentation for this appearing in the TRE codebase at some point, but it's not released yet. So, go to App registrations in the Azure portal, and find your application, You want the UX version.
Go to Manage -> Authentication, then + Add a platform. Choose Single page application.
Add your custom domain URL there, with the https:// prefix. Don't add a trailing /. Click Configure.
Click + Add a platform again, and repeat, with the URL https://<your-domain>/api/docs/oauth2-redirect. Your list of redirects should then look something like this:
This involves sending an email to someone, and handing over some money. Ask Steven how.
You will need a certificate (<something>.pfx file), and the password for that certificate.
Note that the TRE documentation refers to using a custom domain with a certificate managed by letsencrypt, but that doesn't work with bartshealth.nhs.uk. Our domain is protected against allowing anyone other than Digicert from issuing certificates, so letsencrypt will fail.
This also involves an email, but no money (AFAIK). Ask Steven, again...
Go to the key vault in your core resource group, then Objects -> Certificates, you should see one called letsencrypt. That's the one that needs updating. It's unfortunate they gave it that name, but we're stuck with it unless we want to modify the code.
Click letsencrypt, then + New Version. Change the Method of Certificate Creation to Import, locate the certificate file on your local drive, and put in the password. Then Create, and your certificate should be correctly imported. Check that your new certificate is the current one, and that the import and expiry dates are as you expect.
Now that your certificate is there, you have to tell the Application Gateway to use it. Go to Application Gateways in the Azure portal, find the one with your TRE ID in the name, and click on it. Then go to Settings -> Listeners, then the Listener TLS Certificates tab.
Click + Add certificate, select Choose a certificate from Key Vault, provide a name, then find your key vault from the dropdown, and choose the letsencrypt certificate.
Go back to the Listeners tab, double-click on httplstn-secure. From the Certificate dropdown, choose the certificate you just uploaded, and Save.
That should be all you need to do. Enter your custom domain in the browser, and it should take you to your SDE.