Custom Domains and SSL Certificates

In this tutorial, you will learn how to configure custom domain names for your App Service and secure them using SSL/TLS certificates. This is a crucial step for providing a professional and secure experience to your users.

Why Use Custom Domains and SSL?

Prerequisites

Step 1: Map Your Custom Domain to App Service

Before you can bind a certificate, you need to prove ownership of your custom domain. This is done by creating DNS records.

Option A: Using CNAME Record (for subdomains like www)

Log in to your domain registrar's website and navigate to the DNS management section. Create a CNAME record that points your subdomain (e.g., www) to your App Service's default domain (e.g., your-app-service-name.azurewebsites.net).

Type: CNAME
Host/Name: www
Points to/Value: your-app-service-name.azurewebsites.net

Option B: Using A Record (for root domains like yourcompany.com)

For root domains, you'll need to map them to the IP address of your App Service. First, find the IP address of your App Service in the Azure portal (under the "Custom domains" section). Then, create an A record.

Type: A
Host/Name: @ (or leave blank for root domain)
Points to/Value: YOUR_APP_SERVICE_IP_ADDRESS

Additionally, you'll need to create a TXT record to verify domain ownership:

Type: TXT
Host/Name: asuid.www (or asuid for root domain)
Value: YOUR_CUSTOM_DOMAIN_VERIFICATION_ID (found in Azure portal)

After creating the DNS records, allow some time for them to propagate across the internet. You can then go to your App Service in the Azure portal, navigate to "Custom domains," and click "Validate" to check if the domain is recognized.

Step 2: Upload or Purchase an SSL Certificate

You have two main options for obtaining an SSL certificate:

Uploading a Certificate

  1. In the Azure portal, go to your App Service.
  2. Navigate to "TLS/SSL settings."
  3. Under the "Private Key Certificates (.pfx)" tab, click "Upload Certificate."
  4. Provide the PFX file path, password, and a friendly name for the certificate.

Getting an App Service Managed Certificate

  1. In the Azure portal, go to your App Service.
  2. Navigate to "TLS/SSL settings."
  3. Under the "Private Key Certificates (.pfx)" tab, click "Create App Service Managed Certificate."
  4. Select your custom domain from the dropdown.
  5. Click "Create." Azure will provision and renew the certificate automatically.

Step 3: Bind the SSL Certificate to Your Custom Domain

Once your custom domain is validated and your SSL certificate is available, you need to bind them together.

  1. In the Azure portal, go to your App Service and navigate to "Custom domains."
  2. Find your custom domain in the list and click "Add binding."
  3. In the "Add TLS/SSL Binding" pane:
    • Select your custom domain.
    • Choose your uploaded or managed SSL certificate from the "Certificate (PFX)" dropdown.
    • Select the "TLS/SSL Type." For most cases, "SNI SSL" is recommended and supported by all App Service plans. "IP SSL" is an older option that assigns a dedicated IP address.
  4. Click "Add Binding."

Step 4: Enforce HTTPS

To ensure all traffic to your custom domain is secured, enforce HTTPS.

  1. In the Azure portal, go to your App Service.
  2. Navigate to "TLS/SSL settings."
  3. Under the "HTTPS Only" section, toggle the switch to "On."
Tip: After enforcing HTTPS, it's a good practice to update any links in your application or marketing materials to use https:// instead of http://.
Important: DNS propagation can take up to 48 hours, although it's usually much faster. If you encounter issues, wait a bit longer and try validating again. Ensure your DNS records are correctly configured.

Troubleshooting

If your custom domain or SSL binding is not working, consider the following: