The existing api operation to create a certificate is PUT /cert/:ca.  This API is not to be changed in any way whatsoever.  

Create a new API, PUT /cert/server/:ca, which creates a server-side certificate.  The logic is essentially the same, except that the mechid IS NOT inserted into the certificate as the OU, and if the request originates from the LGW, then no DNS lookup is performed for the FQDN in the certificate SANS.  

This api uses a white list of sources for the request that are treated "special".  These white list IP addresses represent the LGW that is forwarding the request from the Azure bastion.  If the request comes from a whitelisted source, the DNS lookup is bypassed. This may be utilized by other implementations that do not use LGW as well.