0

I have an app service with a custom domain and an Azure managed certificate, which has worked fine for years. Recently I added a Front Door profile and of course added the same custom domain to that, with a certificate created by Azure Front Door.

In this process the DNS records for the domain were updated so that the A record is now an ALIAS to the AFD resource, and the CNAME for www points to the AFD endpoint.

However, recently Azure reported this error on the app service:

Auto-Renewal Failed... for Apex domain we must have the A record mapped to the 
webapp IP. For subdomain, we must have CNAME mapped to the webapp name.

This seems to imply that once Front Door is deployed, the web app itself can no longer have a custom domain. But there is advice from MS online that you should "Preserve the original HTTP host name between a reverse proxy and its back-end web application".

MS also states that

For HTTPS connections, Azure Front Door expects that your origin presents a certificate from a valid certificate authority (CA) with a subject name matching the origin hostname.

So I am confused about how to do this. (Maybe I have misunderstood.)

Can I have a custom domain with an Azure managed certificate on both AFD and the app service? If not, how do I meet the best practice on ensuring the original HTTP host name requested by the user also matches the app service host name?

Improve this question
2
  • You can’t use Azure-managed certificates on both App Service and Front Door for the same custom domain because DNS validation for the App Service cert fails once DNS points to Front Door. The best practice is to let Front Door handle the HTTPS termination with its managed cert and remove the cert binding from App Service, keeping the custom domain mapped only for routing and host header matching. Commented Apr 8 at 4:53
  • 1
    Hi @SureshChikkam thanks so much - very helpful. So the app service should keep the custom domain, AFD should pass the host header from the request, but we must sacrifice a TLS connection between AFD and the app? Have I understood correctly? Commented Apr 8 at 8:09

1 Answer 1

Reset to default
1

Front Door should pass the original host header (example.com) when it forwards the request to the backend. The tricky part is TLS between Front Door and App Service.

  • You don’t have to give up TLS between Front Door and App Service, but you do need to make sure the certificate served by the App Service matches the host header that Front Door sends. Since Azure-managed certificates on App Service require DNS pointing directly to the app, and yours now points to Front Door, those certs won’t auto-renew anymore.

You have two ways to go about it.

Use the App Service's default domain :

  • You can set the backend host in Front Door to the app’s default hostname like yourapp.azurewebsites.net. That way, the TLS certificate that App Service provides (which is always valid for azurewebsites.net) will match the request, and Front Door will be happy.

In this case, you still preserve the original host header (example.com) so that your app behaves as if the request came in with that domain.

Example config:

"backend": {
  "address": "yourapp.azurewebsites.net",
  "hostHeader": "example.com",
  "protocol": "Https"
}

This avoids the need to manage certificates manually.

Use a custom certificate on App Service :

  • If you really need Front Door to connect to App Service using example.com as the hostname (both in the host header and the TLS SNI), then App Service must present a valid TLS certificate for example.com.

Since Azure-managed certs won’t work anymore in this case, you’d need to bring your own certificate (from Let’s Encrypt, DigiCert, etc.), upload it to App Service, and bind it to the custom domain.

This gives you full TLS all the way through, but now you’re responsible for renewing and managing that cert.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you @suresh, I think you are right and I found a similar issue discussed here: stackoverflow.com/a/72880573/47346 which came to the same conclusion. I will try altering our Front Door origin config as you suggest.
It turns out it is not enough to remove the certificate bindings from the app service. You also have to actually delete the certificates, otherwise Azure still attempts to renew them and this blocks app service slot swap.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.