How can I add a custom domain to a storage static website endpoint given that we want the CNAME record to point to CloudFlare

McLean, James (Manx Telecom) 6 Reputation points
2024-06-10T10:58:39.1066667+00:00

We have a storage static website with an endpoint setup in Azure. We have a custom domain that we would like to add to the endpoint. We can do this fine when we setup a CNAME record like foo.domain.com CNAME foodomaincom.azureedge.net however we would like to be able to direct traffic on our custom domain via CloudFlare first and then route it on to the azure endpoint.

We have tried adding CNAMEs like cdnverify.foo.domain.com and asverify.foo.domain.com pointing to the endpoint hostname but neither of those seem to help, it always results in "...Before you can associate a domain with this CDN endpoint, you need to create a CNAME record with your DNS provider for '[custom domain]' that points to '[azure endpoint hostname]'.

We could have our CNAME point to Azure, setup the custom domain and then change it to point to CloudFlare however the issue with this is that it seems the Azure managed SSL certificate on the custom domain fails to automatically renew annually and we have CloudFlare SSL configured to Full (strict) meaning that the origin must have a valid certificate enabling full end to end encryption.

Is there a way that we can keep our custom domain CNAME pointing to CloudFlare whilst having a different DNS record that Azure can use for validating our custom domain?

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
622 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 39,211 Reputation points Microsoft Employee
    2024-06-11T13:59:25.1533333+00:00

    @McLean, James (Manx Telecom) ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I am afraid I am not exactly sure what your current set up but I take it that

    • You are using a Azure Storage account integrated with Azure CDN and want Cloudflare to be in front of the CDN
      • So the traffic flow should become : Cloudflare ----> CDN ----> Storage Account
    • Please let me know if my observation is incorrect

    The methods "cdnverify.foo.domain.com" and "asverify.foo.domain.com",

    • Are used to add a custom domain to the CDN and App Service respectively
    • i.e., used by Azure services
    • These cannot be used by a 3rd party to validate the DNS.

    Now,

    • The reason you are getting a 4XX error is, I believe because of SNI
    • Of course Azure CDN would not be aware of the hostname "foobar.domain.com.cdn.cloudflare.net" and if a request arrives at CDN endpoint with the hostname, it will throw a 4XX error.
    • Same goes for "foobar.domain.com", unless you exclusively add the custom domain to the CDN, CDN will throw a 4XX error.

    As next steps,

    #1

    • I am not sure why you are using DNS for redirecting requests from your 3rd party to the CDN
    • Shouldn't you add "foobar.azureedge.net" as the backend (Origin) of your 3rd party service.
      • Again, I am not an expert with 3rd party and it's configuration, but DNS CNAMEs looks like providing redirection instead of reverse proxy
    • For e.g., consider CDN and Storage Account
      • We do not map the CNAME of "foobar.azureedge.net" to "foobar.z22.web.core.windows.net"
      • Instead, we just add the "foobar.z22.web.core.windows.net" as the backend of the CDN
      • See : Create an Azure CDN profile and endpoint
      • Similarly, please check with your 3rd party on how to properly add a backend to the reverse proxy.

    #2

    • Once done, you should be able to access the CDN (and in turn storage account) by "foobar.domain.com.cdn.cloudflare.net"
    • Now, map the custom domain to the above 3rd party's endPoint
      • You can refer to their docs on how to do this

    Suggestions:

    • You should consider using only one reverse proxy
    • Either Azure CDN or the 3rd party service.
    • i.e., add the Storage Account as the backend of either Azure CDN or the 3rd party but not both
    • And configure custom domain in the reverse proxy

    Hope this clarifies.

    If my understanding of your set up is incorrect, please share a network diagram

    0 comments