Restrict Web App to use Azure Default domain

Rituparna Bhattacharya, To better assist you on this, what is your application framework?

Based on my understanding of your scenario description, that you have already tried combinations of access restrictions and URL rewrite rules by modifying the web.config file to include a rewrite rule that blocks or redirects requests to the default domain and also via Application Gateway. A rule to detect if the user has accessed the website using the Azure default domain and issue a HTTP 301 or 403. Kindly confirm if this true.

Just to clarify, firstly, App Service support HTTPS on *.azurewebsites.net domain name and the certificate is provided and owned by Azure. By default, http://yourdomain.azurewebsites.net works even with custom domain added, and the site admins aware about the URL can access, but typically end users would not access this URL directly (unless explicitly shared).

-Kindly validate if you have similar rule:

<conditions>
	<add input="{HTTP_HOST}" pattern="^(domainA.azurewebsites.net|domainB.azurewebsites.net)$" />
</conditions>

This rule may not work for the website behind a Proxy, Firewall or Application Gateways because the original host value may not be passed on to the WebApp service.

-You may consider to implement the approach to prevent Search Engines from indexing the Azure Default Domain, the key methods include configuring custom domains, using robots.txt files, and setting up appropriate DNS records. please checkout this article (by Anton Pham) for a detailed steps.

Refer similar discussion thread answered by me.

Kindly let us know how it goes, I'll follow-up with you further.

Hi,

Since you are using Application Gateway, the common way to accomplish your goal is to create Private Endpoint for your App Service in same Virtual Network as Application Gateway. Once you have done that, adjust your backend pool config (if needed), test to make sure it still works, then set Public network access to Disabled on your app service.

To create Private Endpoint, navigate to Networking blade of your web app and click link:

NOTE: Above shows Public network access as Disabled, but keep in mind you don't want to set this until private endpoint is in place and verified working with your application gateway.

With the above configuration traffic will be able to reach your web app via Application Gateway since it can connect via the Private Endpoint, but traffic from public will not since you will have it Disabled. With your frontend listener set to accept only your custom domain you've effectively blocked public access via default domain (webapp.azurewebsites.net).

If something is unclear and/or you run into an issue please add a comment.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP