We have a two-node SQL Server 2016 AOAG, TestA, TestB and listener TestL. We want to begin using encrypted connections between the app server/client and the db server.
I have found the section below in two MS documents about implementing connection encrypting. Just wanted to know if this holds true for AOAGs? I suspect it does since AOAG does require the use of a failover cluster, but would like confirmation.
Encryption on a Cluster
If you want to use encryption with a failover cluster, you must install the server certificate with the fully qualified DNS name of the failover clustered instance on all nodes in the failover cluster. For example, if you have a two-node cluster, with nodes named test1.your company.com and test2. your company.com and a failover clustered instance of SQL Server named fcisql, you must obtain a certificate for fcisql.your company.com and install the certificate on both nodes. To configure the failover cluster for encryption, you can then select the ForceEncryption check box on the Protocols for property box of SQL Server Network Configuration
Best Answer
First for an AG you need to Force Protocol Encryption on each instance participating in the AG. With an FCI there is only one instance.
Also with an AG clients can connect to the AG Listener, and they can connect to the instances directly. So you have to configure the certificates accordingly. See https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/listeners-client-connectivity-application-failover#SSLcertificates
Note, that this configuration is not required to have protocol encryption. It's required to authenticate the SQL Server to the clients. If you merely want protocol encryption, clients may always request it, or you can force it on the server with a self-signed certificate.