Custom Domain and HTTPS for Azure Web App

When you create an Azure Web app, you are given an Azure website URL like mine fanray.azurewebsites.net, in this post I will

  • Use my custom domain fanray.com instead of fanray.azurewebsites.net
  • Buy an SSL certificate so my site URL can use HTTPS instead of HTTP

Custom Domain

To map a custom domain the App Service you chose cannot be in the Free tier, in my last post Set up Fanray on Azure App Service I chose the Basic tier. 

Start by first find your site IP address. Go to Azure Portal > your App Service > Settings > Custom domains.

1-custom-domain
Custom domain

 

 

Mapping a custom domain basically requires you to create 3 DNS records at your domain registrar,

  • an A record, where A stands for Address, it deals with IP address and there should be one maps your root domain to your site IP
  • another A record maps all subdomains to your IP or a CNAME record, where C stands for Canonical, it’s used as an alias often pointing the www subdomain to root domain
  • a TXT record commonly used for verification purpose, App Service uses this record only at configuration time, to verify that you own the custom domain

After all three records have been created at my registrar, my DNS looks like this,

2-fanray-dns-records
DNS records

 

Go back to Azure Portal, Custom domains, click on Add hostname, enter and validate both fanray.com and www.fanray.com.

HTTPS

HTTPS is important not only because of security but also because Google prefers HTTPS as a ranking signal.

Buy an SSL Certificate on Azure

You can buy an SSL certificate directly on Azure for $69.99/yr Standard or $299.99/yr Wild Card.  Both covers only a single domain, the Standard will cover both the root domain and www subdomain, while the Wild Card can give you other subdomains, say you want blog.mysite.com.

If you need a certificate that covers multiple domains, currently you have to buy it else where, one option would be Digicert’s Multi-Domain (SAN) Certificates. Then you would need to manually upload the certificate to Azure.

Also be aware if you buy the certificate on Azure and you are using a subscription, your purchase will be charged towards your monthly credit. And if your credit is less than the cost of the certificate, it will cause your subscription to be disabled.

To buy it on Azure, go to https://portal.azure.com/#create/Microsoft.SSL to get started.

Store Cert in Azure Key Vault

It takes a few minutes for the purchase to complete, then it will open the App Service Certificate blade for you. Go to Certificate Configuration and click on Step 1 to store this certificate in Key Vault. During this process, you can choose an existing Key Vault or create a new one. The Standard cost is $0.03/mo.

3-readykv
Certificate Configuration

 

Verify Domain Ownership

Click on Step 2: Verify

If you bought your domain with Azure you can simply click on verify, otherwise you can verify through an email you receive.  The email contains a link clicking on which will take a you to GoDaddy and ask you to approve the certificate. Step 2 will take 5 to 10 minutes to complete on its own.  After this completes you will see step 1 to 3 all check marked.

4-kvverifyemailsuccess
Domain Access Approval

 

Import Certificate and Create Binding

Finally assign the certificate to your app, go to App Service > SSL certificates > click on Import App Service Certificate

5-import-app-service-certificate
Import App Service Certificate

 

After that add bindings to both root and subdomain, fanray.com and www.fanray.com.

6-sslbindings
SSL Bindings

 

Turn on HTTPS Only

Finally go back to your App Service > Settings > Custom domains, and turn on the HTTPS Only option, this will redirect all HTTP traffic to HTTPS.

1-custom-domain
Turn HTTPS Only to On

 

Additional Resources

Summry

Thus far I have launched the site live and gotten my custom domain and https working.  But there is an issue, the website can be accessed from both the root domain fanray.com and the www.fanray.com subdomain, for SEO purpose I will want to set up Preferred Domain and URL Redirect.