I have existing app service with subdomain app.example.com.
I want to have another subdomain called client.example.com which is also pointing to app.example.com
Is this possible in Azure DNS?
Yes you can create the above requirement as shown below image,
if you have already bought your domains configure DNS A and TXT records of both domains to point to your Azure web app.
NOTE:- Please ensure that the SSL certificate to be import for your custom domains includes your app service FQDN in SAN(Subject Alternative Names) section in the certificate for it to be shown as https secure.
Is this possible in Azure DNS?
Yes its possible ,Please refer this MS DOC to Delegate an Azure DNS subdomain
For more information please refer this MS Q&A discussion|Hosting multiple domains under one app service
Recently we have created a new CNAME entry for the internal react website which is deployed in Azure. It has been pointed to traffic manager since we are deploying in two regions. After the CNAME entry is create, the URL throws 404 error. We have already configured the entry access restriction to all internal users. Appreciate if anyone can help to identify the issue.
For the error, you could add the new CNAME subdomain to your app service---custom domains---add custom domain as the picture displaying steps 1-5. After you validate the subdomain and add the subdomain into the custom domains, you should access the subdomain URL via the traffic manager. Read this blog for more details.
In addition, only Web Apps at the Standard SKU or above are eligible for use with Traffic Manager. Attempts to add a Web App of a lower SKU fail. Read Azure web apps as the endpoints.
I have a web server on -premises and have configured the Azure Traffic Manager with external endpoint that points to the public IP address of the web server.
The web server's external DNS is www..com. As per the Microsoft Documentation i have added the traffic manager DNS Name : http://.trafficmanager.net as a CNAME record to www..com.The monitoring status on the Traffic Manager reports that the on-premises server endpoint is healthy.
The issue i am having is that now when i go to www..com, where it used to work correctly before it now reports:
"Account Suspended" and the following has been appended to the URL: /cgi-sys/suspendedpage.cgi.
Im not sure what the issue is here as it was working without the traffic manager but now it is not accessible.
Any guidance on why this is occurring would be greatly appreciated.
As the comment from #juunas, the Traffic Manager would not modify the URL, it uses DNS to direct client requests to the most appropriate service endpoint based on a traffic-routing method and the health of the endpoints. Clients then connect to the service endpoint directly, not through Traffic Manager. Traffic Manager does not see HTTP traffic between client and server. Read here for more details.
If you see any HTTP error, it must be coming from your application. Not sure what the web app what you are using, and you may google that error for more references. Such as “This Account Has Been Suspended” – How to Fix Website Problem?
Hope this could help you.
I have created Windows Server VM in Azure and deployed my site to IIS, which is now accessible at https://mysite.westeurope.cloudapp.azure.com/
however I get certificate error when I try to visit it from outside the vm.
how do I configure the VM to have proper https without certificate errors (just like app service - mysite.azurewebsites.net)?
As the comments from micker #micker, you can't get an SSL certificate for this subdomain westeurope.cloudapp.azure.com which is owned by Microsoft.
Since you host your websites on Azure VM, you could purchase a domain then get an SSL certificate for your own domain, then bind the SSL certificate to your custom domain in IIS on the Azure VM. You can either purchase that certificate through Azure or an external provider or get a free SSL cert from Let's Encrypt.
However, if you just want to have a test in your test environment, you can use a self-signed certification with this DNS name like vma.centralus.cloudapp.azure.com. You can follow steps in How To Create A SHA-256 Self-Signed Certificate on the Azure VM then export this cert .cer format file on the Azure VM and import the .cer cert under the mmc---certificate---local machine---Trusted root certification Authorities on the machine where you want to access the websites. Please note this It's not recommended to use self-signed cert in your production environment.
I had same issue, and I found resolution without custom domain using following additional azure settings.
create Azure WAF, add custom rules to deny if not in IP list - this is if you need ip whitelisting, useful if your main domain uses akamai or other edge routing to point to external hosting of subdomains, you can use whitelist to restrict access to the akamai or other servers, though this takes some big lists you must paste of ranges one row at a time. Set any other web app firewall rules you want enforced for allow/deny.
Create Azure Front Door named like you want as an endpoint url e.g. myappfrontdoor will make myappfrontdoor.azurefd.net. in backend pool specify the your public-ip shared dns name (see step 3) like myapptest..cloudapp.azure.com.
This is the important step : in Settings at top of front door designer, disable cert validation. in routing rules config, no condition, forward to backend pool setup in prior step. This ignores the fact that you cannot cert your cloudapp.azure.com endpoint, and wraps it with a *.azurefd.net certificate.
In your azure firewall, Edit NAT rules, set rule name myapp-web-fd-... , tcp, ip address, 147.243.0.0/16 (this is Azure's front door backend ip range). destination should be the firewall's own public ip. destination port 443, translated address should be the target vm's azure internal ip, target port - service port.
Now you will have a site like myappfrontdoor.azurefd.net.
Note that Azure Front Door and WAF have their own pricing costs, so maybe it is cheaper for you to buy a domain. Hopefully you are also using Azure Firewall, though expensive. If not, one could point to public ip directly on NSG or on vm itself but I wouldn't skip having a firewall for a public server. There is a standing Azure enhancement request to get Azure Front Door to recognize certificates, but it was triaged 2 years ago and still not added, so not sure if it will be worked. If it ever does get worked, devs could make own cert auth and self-signed cert with expirations to more securely hook front door to azure internal vm. For now, have to rely on the front door backend setting, waf, and azure firewall to have these things routed.
There are some options in Akamai and other edge routing systems to import cert and self-created authority sort of, but I've not tried that yet, so cannot confirm this would cleanly wrap your azure site without cert errors. You can make a self-signed authority using openssl commands as noted in other posts out and about on the web.
The simplest and cheapest option is to purchase a domain and use a cname dns record to map your new domain to your Azure subdomain address - an "A" record is not required. Also per answer above, a WAF is expensive and possibly unnecessary for a test set up (but a requirement for a production website). You can use Certbot and NGINX to create a free Lets Encrypt certificate for your domain and assign it to your website.
Adding a Public IP Address, Load Balancer, and Network Security Group to your Azure Resource Group may also be required to provide access to your website. This is largely how my test configuration is set up except I'm using a Linux VM, have a single wildcard certificate, and use NGINX to reverse proxy 3 websites.
I'm working on azure project and came across Azure Traffic Manager. Could someone please help me few question below:
Is Traffic Manager same as load balancer?
Do we need to create Traffic Manager manually or created automatically on webrole deploy.
How do I configure Traffic Manager with new Azure Mgt. Portal?
What is the main purpose of Poll State, as it says offline but I can still access using trafic manager url.
When we get proper CNAME, should CNAME point to this Traffic manager or url provided on Cloud Service > Dashboard?
Thanks.
Is Traffic Manager same as load balancer?
It can be used for failover or load balancing, although only in a round robin way.
Have a look here.
https://azure.microsoft.com/en-us/documentation/articles/traffic-manager-overview/
Do we need to create Traffic Manager manually or created automatically on webrole deploy.
You need to create it manually.
How do I configure Traffic Manager with new Azure Mgt. Portal?
Currently I believe you can only do it in the old portal.
What is the main purpose of Poll State, as it says offline but I can still access using trafic manager url.
Again easier to read this.
https://azure.microsoft.com/en-us/documentation/articles/traffic-manager-overview/
When we get proper CNAME, should CNAME point to this Traffic manager or url provided on Cloud Service > Dashboard?
If you want to use traffic manager to manage the traffic you point your CName to the traffic manager url.