Azure App Service Documentation

Custom Domains and SSL

Introduction to Custom Domains and SSL in Azure App Service

Azure App Service allows you to map your custom domain names (e.g., www.yourcompany.com) to your web apps. This provides a professional identity and improves discoverability. Secure your custom domains with SSL/TLS certificates to enable HTTPS, ensuring encrypted communication between your users and your application.

Important: Properly configuring custom domains and SSL is crucial for branding, security, and SEO. Ensure you have the necessary DNS records and SSL certificates ready.

Prerequisites

  • An Azure subscription.
  • An existing Azure App Service web app.
  • A custom domain name registered with a domain registrar.
  • Access to your domain registrar's DNS management settings.
  • An SSL/TLS certificate (if you are not using App Service Managed Certificates).

Adding a Custom Domain to Your App Service

To add a custom domain, you need to create DNS records that point your domain to your App Service. You can choose to map either a root domain (e.g., yourcompany.com) or a subdomain (e.g., www.yourcompany.com).

DNS Record Types:

  • A Record: Maps a domain name to an IPv4 address.
  • CNAME Record: Maps a domain name to another domain name.

Steps:

  1. Navigate to your App Service in the Azure portal.
  2. In the left-hand navigation menu, select Custom domains under the "Settings" section.
  3. Click Add custom domain.
  4. Enter your custom domain name (e.g., www.yourcompany.com or yourcompany.com).
  5. Click Validate. Azure will provide you with the necessary DNS records (usually a CNAME record for subdomains and an A record with the App Service's IP address for root domains, along with a TXT record for verification).
  6. Go to your domain registrar's DNS management portal and create the required DNS records.
  7. Wait for DNS propagation (this can take a few minutes to several hours).
  8. Once validation is successful, click Add custom domain again to finalize the mapping.

Note: For root domains, it's recommended to use an A record pointing to the App Service's virtual IP address and a TXT record for verification. For subdomains like 'www', a CNAME record pointing to your App Service's default domain (e.g., yourapp.azurewebsites.net) is typically used.

Configuring SSL/TLS for Your Custom Domain

Securing your custom domain with SSL/TLS is essential for encrypted traffic. Azure App Service supports several ways to manage SSL certificates.

Options for SSL Certificates:

  • App Service Managed Certificates: Free, auto-renewing SSL certificates managed by Azure. This is the recommended option for most scenarios.
  • Import App Service Certificate: Purchase and manage certificates through Azure.
  • Upload Your Own Certificate: Upload a PFX file containing your certificate and private key.

Steps to Bind an SSL Certificate:

  1. In the Azure portal, navigate to your App Service and select TLS/SSL settings under "Settings".
  2. Go to the Private Key Certificates (.pfx) tab or the App Service Managed Certificates tab, depending on your chosen method.
  3. If using App Service Managed Certificates, click Create App Service Managed Certificate and select your custom domain.
  4. If uploading or importing, follow the prompts to upload your PFX file or select an existing App Service Certificate.
  5. Once the certificate is available, go to the Custom domains section.
  6. Find your custom domain, click Add binding.
  7. In the "TLS/SSL Certificate" dropdown, select the certificate you just added or created.
  8. Choose the SSL type (e.g., SNI SSL). SNI SSL is generally recommended.
  9. Click Add binding.

Certificate Management

Azure provides tools to manage your SSL certificates effectively.

  • App Service Managed Certificates: Automatically renew and rebind certificates to your custom domains. Monitor their expiration dates within the TLS/SSL settings.
  • App Service Certificates: Purchased through Azure, these offer longer validity periods and support for wildcard certificates. They also auto-renew.
  • Uploaded Certificates: You are responsible for renewing and re-uploading these certificates before they expire. The Azure portal will notify you of upcoming expirations.

Enforcing HTTPS

To ensure all traffic to your custom domain uses HTTPS, you can enforce it within App Service settings.

  1. Navigate to your App Service in the Azure portal.
  2. Under "Settings", select TLS/SSL settings.
  3. Under the Bindings tab, ensure your custom domain has an SSL binding configured.
  4. Toggle the HTTPS Only switch to On.

This setting automatically redirects all HTTP requests to HTTPS.

Troubleshooting Common Issues

  • DNS Propagation Delays: If your custom domain isn't validating, wait longer for DNS changes to propagate globally. Use online DNS lookup tools to check the status.
  • Incorrect DNS Records: Double-check that you have entered the A, CNAME, and TXT records precisely as provided by Azure. Typos are common.
  • Certificate Binding Errors: Ensure the certificate is valid, not expired, and correctly associated with your custom domain. For uploaded PFX files, verify the password and that it includes the private key.
  • Mixed Content Warnings: If your site loads with warnings, check your application's code for hardcoded HTTP links to resources (images, scripts, stylesheets). Update these to use HTTPS or relative paths.