Merge pull request #260203 from MGoedtel/bug189831

prmerger-automator[bot] · web-flow · commit 2c6cbdb895e8 · 2023-12-04T20:22:46.000Z
Clarified details about KV cert in AKS article
diff --git a/articles/aks/app-routing-dns-ssl.md b/articles/aks/app-routing-dns-ssl.md
@@ -4,7 +4,7 @@ description: Understand the advanced configuration options that are supported wi
 ms.subservice: aks-networking
 ms.custom: devx-track-azurecli
 ms.topic: how-to
-ms.date: 11/21/2023
+ms.date: 12/04/2023
 ---
 
 #  Set up advanced Ingress configurations with the application routing add-on
@@ -106,11 +106,11 @@ az aks approuting update -g <ResourceGroupName> -n <ClusterName> --enable-kv --a
 
 ## Enable Azure DNS integration
 
-To enable support for DNS zones, see the following prerequisites:
+To enable support for DNS zones, review the following prerequisite:
 
-* The app routing add-on can be configured to automatically create records on one or more Azure public and private DNS zones for hosts defined on Ingress resources. All global Azure DNS zones need to be in the same resource group, and all private Azure DNS zones need to be in the same resource group. If you don't have an Azure DNS zone, you can [create one][create-an-azure-dns-zone].
+* The app routing add-on can be configured to automatically create records on one or more Azure public and private DNS zones for hosts defined on Ingress resources. All public Azure DNS zones need to be in the same resource group, and all private Azure DNS zones need to be in the same resource group. If you don't have an Azure DNS zone, you can [create one][create-an-azure-dns-zone].
 
-### Create a global Azure DNS zone
+### Create a public Azure DNS zone
 
 > [!NOTE]
 > If you already have an Azure DNS Zone, you can skip this step.
@@ -148,11 +148,17 @@ The application routing add-on creates an Ingress class on the cluster named *we
     az keyvault certificate show --vault-name <KeyVaultName> -n <KeyVaultCertificateName> --query "id" --output tsv
     ```
 
+   The following example output shows the certificate URI returned from the command:
+
+    ```output
+    https://KeyVaultName.vault.azure.net/certificates/KeyVaultCertificateName/ea62e42260f04f17a9309d6b87aceb44
+    ```
+
 2. Copy the following YAML manifest into a new file named **ingress.yaml** and save the file to your local computer.
 
-    > [!NOTE]
-    > Update *`<Hostname>`* with your DNS host name and *`<KeyVaultCertificateUri>`* with the ID returned from Azure Key Vault.
-    > The *`secretName`* key in the `tls` section defines the name of the secret that contains the certificate for this Ingress resource. This certificate will be presented in the browser when a client browses to the URL defined in the `<Hostname>` key. Make sure that the value of `secretName` is equal to `keyvault-` followed by the value of the Ingress resource name (from `metadata.name`). In the example YAML, secretName will need to be equal to `keyvault-<your Ingress name>`.
+   Update *`<Hostname>`* with the name of your DNS host and *`<KeyVaultCertificateUri>`* with the URI returned from the command to query Azure Key Vault in step 1 above. The string value for `*<KeyVaultCertificateUri>*` should only include `https://yourkeyvault.vault.azure.net/certificates/certname`. The *Certificate Version* at the end of the URI string should be omitted in order to get the current version.
+
+   The *`secretName`* key in the `tls` section defines the name of the secret that contains the certificate for this Ingress resource. This certificate is presented in the browser when a client browses to the URL specified in the `<Hostname>` key. Make sure that the value of `secretName` is equal to `keyvault-` followed by the value of the Ingress resource name (from `metadata.name`). In the example YAML, `secretName` needs to be equal to `keyvault-<your Ingress name>`.
 
     ```yml
     apiVersion: networking.k8s.io/v1
@@ -233,7 +239,7 @@ Learn about monitoring the Ingress-nginx controller metrics included with the ap
 [az-aks-install-cli]: /cli/azure/aks#az-aks-install-cli
 [az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
 [create-and-export-a-self-signed-ssl-certificate]: #create-and-export-a-self-signed-ssl-certificate
-[create-an-azure-dns-zone]: #create-a-global-azure-dns-zone
+[create-an-azure-dns-zone]: #create-a-public-azure-dns-zone
 [azure-dns-overview]: ../dns/dns-overview.md
 [az-keyvault-certificate-show]: /cli/azure/keyvault/certificate#az-keyvault-certificate-show
 [prometheus-in-grafana]: app-routing-nginx-prometheus.md
diff --git a/articles/aks/app-routing-migration.md b/articles/aks/app-routing-migration.md
@@ -121,7 +121,7 @@ After migrating to the application routing add-on, learn how to [monitor Ingress
 
 <!-- INTERNAL LINKS -->
 [install-azure-cli]: /cli/azure/install-azure-cli
-[app-routing-dns-create]: ./app-routing-dns-ssl.md#create-a-global-azure-dns-zone
+[app-routing-dns-create]: ./app-routing-dns-ssl.md#create-a-public-azure-dns-zone
 [app-routing-dns-configure]: ./app-routing-dns-ssl.md#attach-azure-dns-zone-to-the-application-routing-add-on
 
 <!-- EXTERNAL LINKS -->
