I have an app service with front door setup on Azure and have added a custom domain to the front door.
To ensure the request url is recorded correctly on server, I have cleared the "Backend host header" property on the defaultPool on the front door.
This initially resulted in a 404 when using my custom domain, but adding the same domain to the app service fixed that issue.
Since I don't want to use my own certificates, the front door is using one generated by azure, and the custom domain on the app service does not have a certificate, resulting in the Custom domains page showing a warning.
Is this the correct way to setup an App service with a front door and a custom domain?
I'm not sure which backend host header you removed from the default pool, but I'm thinking that wasn't necessary. After adding your custom domain to AFD you can use an Azure managed certificate. I would simply go that route. But if you have any issues, comment down below.
Related
We have an app that allows customers to use their own custom domain to access their accounts on our app.
Currently, we are using the Azure App Services Custom Domain option & when a user shares their custom domain with us, we manually add it to the Azure Custom Domains list pointing it to their unique account URL. i.e. projects.customerdomain.com (custom domain) to customer1.anywhereapp.io (their account in our product 'Anywhere').
This approach has been working well.
We are now exploring if we can use Azure Front Door to make our app more responsive worldwide & one of the problems we are stuck at is how do we configure the custom domains of our customers to their specific Anywhere accounts?
I've gone through the official Azure FD Custom Domain documentation & I understand it allows us to add the custom domain pointing to one backend, in our case each custom domain also needs to point to a specific subdomain URL. i.e. customer1.anywhereapp.io
How do we achieve this?
Any guidance in the right direction is really appreciated.
Thanks
ST
Azure Front Door can forward the request Host header to the backend. So you can configure the custom domain both on Front Door and the App Service using DNS verification.
To do this, following the following steps:
Go to your App Service
Go to Custom Domains
Copy the Custom Domain Verification ID
Add a new DNS TXT record with the copied value: TXT asuid.projects.customerdomain.com. <verification id>
Go to your Front Door profile
Setup the Custom Domain as per the instructions on MSDN
Configure the origin as follows:
Name: <any appropriate name>
Origin Type: App services
Host name: <yourappservice.azurewebsites.net>
Origin host header: <blank> <-- leaving this empty will forward the request host header to the backend
Certificate subject name validation: Enabled
Now when a request is made to Front Door this same request is passed onto your backend including the custom domain (projects.customerdomain.com).
From the perspective of your app service, there's then no difference whether you use Front Door or not.
We've been struggling with this same issue. While Jeremy's solution sounds perfect, we are struggling with figuring out how to make it work when we have multiple app services running an app on the same domain.
For example, we have an app running in 2 separate app services/app service plans. It is the same application code. Let's say the domain is my.website.com
AppServiceEast (say its Azure non-custom domain is appserviceeast.azurewebsites.net)
AppServiceWest (say its Azure non-custom domain is appservicewest.azurewebsites.net)
They both run the app.
We've setup the front door pools/rules/etc without problem. However, we are stuck with 1 of 2 problems:
If we keep the origin host headers in place, anytime someone goes to my.website.com, their browser shows them ending up at appserviceeast.azurewebsites.net or appservicewest.azurewebsites.net
If we take those out, it should just keep passing along my.website.com - but the problem with that is that I can only make ONE of those app services have its custom domain be my.website.com. If I try to make them both work on that domain, I get stuck at the point where I'm trying to create 2 TXT records with different values for the same domain.
It feels like this has to be a common thing to want to do - setup a web app in multiple regions on ONE domain, and have Front Door split traffic between them as we see fit. However, we run into roadblocks at every turn.
I have my Web App with an application in .NET. The Web App is up and running. In the configuration of the Web App, I set the custom domain and upload the certificate for the SSL.
The Web App is working as I expected.
Now, I like to protect more the Web App in particular for applying OWASP recommendation. So, I created a new Application Gateway. In the Configuration I selected WAF v2, Web application firewall as in the following screenshot
In the Backend polls, I selected the existing Web app.
Now, I was looking for the Custom domain but there is no option for it.
I would remove Application Gateway and instead use Azure Front Door (AFD) in front of App Service. Then restrict access to AppService traffic to only come from Front Door.
This brings you a couple of benefits:
You don't need to worry about scaling up or down, which can be hassle with AppGW. AFD is totally per-per-use.
WAF integrates nicely with AFD
AFD has built-in managed SSL certificates for free. You don't need to worry about renewals etc. You would just connect your custom domain to Front Door instead of AppService
If you don't want to use the Microsoft-managed certificate, you can of course also bring your own
Being a global service (i.e. not bound to any single Azure region), it sets you up for global failover / distribution if you want to add this later
You can restrict access to your AppService to only come from your AFD instance
With the upcoming Front Door Premium, you could even hide your AppService behind private endpoints if Access Restrictions are not good enough for your
I have a Front Door instance working, with a custom domain setup and azure front door is managing the certificate for me. However, I was trying to add a second custom domain and every time I select CUSTOM DOMAIN HTTPS -> enable, then, select azure front door to manage my certificate and click save, after a few minutes I get this error:
Failed to update the custom https configuration for the frontend host ''. Error: Sorry, it looks like there was an error on our end. Please contact Support if you keep having this problem.
I have tried creating another Front door instance but the result is the same is not letting me add a certificate to the custom domain. I have tried using my own certificate and the result is the same.
The custom domain is being validated with a CNAME register the dns
Any thoughts?
I have an azure web app and its corresponding application gateway.
I have created a CNAME and pointed it to the DNS name of the app gateway.
Now when I access the site using the CNAME, it reaches the app gateway and redirects me to the web app(actual web app URL ...azurewebsites.net).
Is it possible that using the CNAME, I should be able to reach the web app i.e. on the address bar it should be displaying the same CNAME to reaching the web app(it should not redirect to the web app)
Thanks.
You could configure the custom domain like sub.example.com to the web app first, then you could add such custom domain in the hostnames of Azure web app service. Once the DNS propagation happens, the CNAME record of the custom domain in the DNS zone should be changed to map the FQDN of the Application gateway like xxx.cloudapp.net.
I test this using web app service without HTTPS redirection. HTTPS Only is off. Azure Application Gateway is also working for HTTP. If you want to use HTTPS for the web app, you need an SSL cert for the custom domain.
Tutorial: Map an existing custom DNS name to Azure App Service
Update
In this case, you properly set HTTPS only is on in the custom domains of Azure web app service. For me, I could still set "Pick up hostname from the backend pool" under the HTTP setting even I do not add the hostnames as my previous reply. The redirection actually is related to the "HTTPS only" under Custom Domain in Azure web app.
I got this issue fixed:
The redirection that was occurring was due to a setting "Pick up hostname from the backend pool" under HTTP setting of application gateway. Removing that setting, using the CNAME we were able to reach the web app but we were getting an error "Too_Many_redirects" and this was resolved once the "HTTPS only" is set to off on the web app under Custom Domain as this redirection was configured at the gateway level.
I have created one Web App on Azure and deployed that in two regions. now, using traffic manager I have used failover configuration. As I am having custom domain, I have used individual domains per web app.
So, each of my web app has 3 domains (I) ... azurewebsites.net (II) ... trafficmanager.net (III) .... mycustomdomain-region1.com
Same for second web app with 3 domains.
As I have correctly configured, my customdomain-region1.com is working without any SSL Certificate error.
But when I use TrafficManager.net based url it is giving me azurewebsites.net certificate error. Why it is check azurewebsites.net even though I am having custom domain and also the certificate is well configured in both the web app.
I have clicked "Continue to this website (not recommended). " and I got Error 404 - Web App not found page
Image attached here...
1) https://social.msdn.microsoft.com/Forums/getfile/685720
2) https://social.msdn.microsoft.com/Forums/getfile/685723
The SSL for *.azurewebsites.net is a shared SSL. If you want to use an SSL for your custom domain you will need to purchase and configure it separately. Info can be found here. https://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/
Note, being you are using multiple web apps in different regions. I would recommend purchasing a wildcard ssl for your domain (*.domain name) and setting up region.websitename.com region2.websitename.com
Let me know if this helps!