Azure App Services

Custom Domains and SSL Certificates

Introduction

Azure App Service provides a powerful platform for hosting web applications, APIs, and mobile backends. One of the key aspects of deploying a professional web application is using your own custom domain name and securing it with an SSL/TLS certificate. This ensures that your users can access your application via a friendly URL (e.g., www.yourcompany.com) and that communication between the user's browser and your app is encrypted.

This tutorial will guide you through the process of mapping a custom domain to your Azure App Service and binding an SSL certificate to it.

Prerequisites

  • An active Azure subscription.
  • An existing Azure App Service. If you don't have one, you can create it through the Azure portal.
  • A custom domain name registered with a domain registrar.
  • Access to your domain registrar's DNS management settings.

Step 1: Map Your Custom Domain to Azure App Service

Before you can bind an SSL certificate, you need to verify that you own the custom domain and map it to your App Service. This involves creating DNS records with your domain registrar.

1.1. Get Your App Service's IP Address or CNAME Target

Navigate to your App Service in the Azure portal. Under the "Settings" section, select "Custom domains". You will see information here that you need for your DNS records.

  • For a root domain (e.g., yourcompany.com): You'll need to create an A record pointing to your App Service's external IP address.
  • For a subdomain (e.g., www.yourcompany.com): You'll typically create a CNAME record pointing to your App Service's default hostname (e.g., yourappname.azurewebsites.net).

You can find the specific IP address and default hostname on the "Custom domains" blade of your App Service.

1.2. Create DNS Records with Your Registrar

Log in to your domain registrar's website and go to the DNS management section. Create the following records:

Important: DNS changes can take some time to propagate globally (up to 48 hours, though often much faster). You may not be able to proceed with the next steps immediately.

  • To map a root domain (yourcompany.com):
    • Type: A
    • Name/Host: @ (or leave blank, depending on your registrar)
    • Value/Points to: Your App Service's external IP address
    • TTL: 1 hour (or default)

    You also need a verification record:
    • Type: TXT
    • Name/Host: asuid
    • Value/Points to: Your App Service's default hostname (e.g., yourappname.azurewebsites.net)
    • TTL: 1 hour (or default)
  • To map a subdomain (www.yourcompany.com):
    • Type: CNAME
    • Name/Host: www
    • Value/Points to: Your App Service's default hostname (e.g., yourappname.azurewebsites.net)
    • TTL: 1 hour (or default)

    You also need a verification record:
    • Type: TXT
    • Name/Host: asuid.www
    • Value/Points to: Your App Service's default hostname (e.g., yourappname.azurewebsites.net)
    • TTL: 1 hour (or default)

1.3. Add Custom Domain in Azure Portal

Once you believe the DNS records have propagated, go back to your App Service in the Azure portal. On the "Custom domains" blade, click "Add custom domain".

Enter your custom domain name (e.g., www.yourcompany.com) and click "Validate". Azure will check for the DNS records. If successful, you'll see a green checkmark, and you can click "Add custom domain" to add it to your App Service.

Step 2: Secure Your Custom Domain with an SSL Certificate

To enable HTTPS for your custom domain, you need to bind an SSL certificate. Azure App Service offers several options:

2.1. Create or Upload an SSL Certificate

You have a few choices for obtaining an SSL certificate:

  • App Service Managed Certificate (Free): This is the easiest option. Azure automatically provisions, manages, and renews a standard SSL certificate for your custom domain. It's suitable for most basic scenarios.
  • Import from Key Vault: If you have an existing certificate stored in Azure Key Vault, you can import it. This is useful for managing certificates centrally.
  • Upload a PFX certificate: If you purchased a certificate from a third-party Certificate Authority (CA), you can upload the certificate file in PFX format (which includes the private key). You'll need the PFX file and its password.

2.2. Add the SSL Binding

In the Azure portal, navigate to your App Service, then go to "Custom domains". You should see your custom domain listed. Next to it, there will be an "Add binding" or "Upload certificate" option.

Option A: Add App Service Managed Certificate (Recommended for simplicity)

1

On the "Custom domains" blade, click "Add binding" for your custom domain.

2

In the "Add TLS/SSL Binding" pane:

  • Custom Domain: Select your custom domain.
  • Certificate: Choose "Create App Service Managed Certificate".
  • TLS/SSL Type: Select "SNI SSL".
3

Click "Add binding". Azure will provision and bind the certificate automatically.

Option B: Upload a PFX Certificate

1

On the "Custom domains" blade, click "Upload Certificate".

2

In the "Upload Certificate" pane:

  • PFX Certificate File: Browse and select your .pfx file.
  • Certificate password: Enter the password for the PFX file.
3

Click "Upload".

4

Once uploaded, click "Add binding" for your custom domain.

  • Custom Domain: Select your custom domain.
  • Certificate: Choose the certificate you just uploaded from the dropdown.
  • TLS/SSL Type: Select "SNI SSL".
5

Click "Add binding".

Option C: Import from Key Vault

This process is similar to uploading a PFX certificate but involves selecting a certificate from your Azure Key Vault. Ensure your App Service has the necessary permissions to access the Key Vault.

2.3. Enforce HTTPS

After successfully binding your SSL certificate, it's a good practice to enforce HTTPS for all incoming requests. Navigate to your App Service, then go to "TLS/SSL settings" under "Settings".

Under "App Service configuration", set "HTTPS Only" to On. This will automatically redirect all HTTP traffic to HTTPS.

Tip: For production environments, consider using a wildcard certificate or a multi-domain certificate if you have multiple subdomains.

Step 3: Verify Your Configuration

Open your web browser and navigate to your custom domain using https:// (e.g., https://www.yourcompany.com).

Check for the padlock icon in the browser's address bar, which indicates a secure connection. Click on it to view certificate details and ensure it's valid and issued for your domain.

Troubleshooting: If you encounter issues, double-check your DNS records for typos and ensure they have propagated. Verify the PFX password and certificate format if you uploaded one. Check the App Service logs for any specific errors.

Next Steps

You have now successfully mapped a custom domain to your Azure App Service and secured it with an SSL certificate. You can continue to develop and deploy your application with confidence, knowing that your users' data is protected.

Consider exploring other Azure App Service features such as:

  • Deployment Slots for staging environments
  • Auto-scaling to handle varying traffic loads
  • Integration with Azure DevOps or GitHub for CI/CD
  • Monitoring and diagnostics
Explore More Azure Services
© 2023 Microsoft Corporation. All rights reserved.