Events
Take the Microsoft Learn Challenge
Nov 19, 11 PM - Jan 10, 11 PM
Ignite Edition - Build skills in Microsoft Azure and earn a digital badge by January 10!
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This article shows you how to provide security for the custom domain in your App Service app or function app by creating a certificate binding. When you're finished, you can access your App Service app at the https://
endpoint for your custom DNS name (for example, https://www.contoso.com
).
In the Azure portal:
From the left menu, select App Services > <app-name>.
From the left navigation of your app, select Custom domains.
Next to the custom domain, select Add binding.
If your app already has a certificate for the selected custom domain, you can select it in Certificate. If not, you must add a certificate using one of the selections in Source.
In TLS/SSL type, select either SNI SSL or IP based SSL.
When adding a new certificate, validate the new certificate by selecting Validate.
Select Add.
Once the operation is complete, the custom domain's TLS/SSL state is changed to Secured.
Note
A Secured state in Custom domains means that a certificate is providing security, but App Service doesn't check if the certificate is self-signed or expired, for example, which can also cause browsers to show an error or warning.
This step is needed only for IP-based SSL. For an SNI SSL binding, skip to Test HTTPS.
There are potentially two changes you need to make:
By default, your app uses a shared public IP address. When you bind a certificate with IP SSL, App Service creates a new, dedicated IP address for your app. If you mapped an A record to your app, update your domain registry with this new, dedicated IP address.
Your app's Custom domain page is updated with the new, dedicated IP address. Copy this IP address, then remap the A record to this new IP address.
If you have an SNI SSL binding to <app-name>.azurewebsites.net
, remap any CNAME mapping to point to sni.<app-name>.azurewebsites.net
instead. (Add the sni
prefix.)
Browse to https://<your.custom.domain>
in various browsers to verify that your app appears.
Your application code can inspect the protocol via the x-appservice-proto
header. The header has a value of http
or https
.
Note
If your app gives you certificate validation errors, you're probably using a self-signed certificate.
If that's not the case, you might have left out intermediate certificates when you exported your certificate to the PFX file.
Your inbound IP address can change when you delete a binding, even if that binding is IP SSL. This is especially important when you renew a certificate that's already in an IP SSL binding. To avoid a change in your app's IP address, follow these steps, in order:
By default, App Service forces a redirect from HTTP requests to HTTPS. To disable this behavior, see Configure general settings.
Your app allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. To enforce different TLS versions, see Configure general settings.
In App Service, TLS termination happens at the network load balancers, so all HTTPS requests reach your app as unencrypted HTTP requests. If your app logic needs to check if the user requests are encrypted, inspect the X-Forwarded-Proto
header.
Language-specific configuration guides, such as the Linux Node.js configuration guide, show how to detect an HTTPS session in your application code.
Bind a custom TLS/SSL certificate to a web app
$fqdn="<Replace with your custom domain name>"
$pfxPath="<Replace with path to your .PFX file>"
$pfxPassword="<Replace with your .PFX password>"
$webappname="mywebapp$(Get-Random)"
$location="West Europe"
# Create a resource group.
New-AzResourceGroup -Name $webappname -Location $location
# Create an App Service plan in Free tier.
New-AzAppServicePlan -Name $webappname -Location $location `
-ResourceGroupName $webappname -Tier Free
# Create a web app.
$webapp = New-AzWebApp -Name $webappname -Location $location -AppServicePlan $webappname `
-ResourceGroupName $webappname
Write-Host "Sign in to your domain provider's website and configure the following records:"
Write-Host "A CNAME record that maps $fqdn to $webappname.azurewebsites.net"
Write-Host "A TXT record that maps asuid.$fqdn to the domain verification ID $($webapp.CustomDomainVerificationId)"
Read-Host "Press [Enter] key when ready ..."
# Before continuing, go to your DNS configuration UI for your custom domain and follow the
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the
# hostname "www" and point it your web app's default domain name.
# Upgrade App Service plan to Basic tier (minimum required by custom SSL certificates)
Set-AzAppServicePlan -Name $webappname -ResourceGroupName $webappname `
-Tier Basic
# Add a custom domain name to the web app.
Set-AzWebApp -Name $webappname -ResourceGroupName $webappname `
-HostNames @($fqdn,"$webappname.azurewebsites.net")
# Upload and bind the SSL certificate to the web app.
New-AzWebAppSSLBinding -WebAppName $webappname -ResourceGroupName $webappname -Name $fqdn `
-CertificateFilePath $pfxPath -CertificatePassword $pfxPassword -SslState SniEnabled
Events
Take the Microsoft Learn Challenge
Nov 19, 11 PM - Jan 10, 11 PM
Ignite Edition - Build skills in Microsoft Azure and earn a digital badge by January 10!
Register nowTraining
Certification
Microsoft Certified: Azure Developer Associate - Certifications
Build end-to-end solutions in Microsoft Azure to create Azure Functions, implement and manage web apps, develop solutions utilizing Azure storage, and more.