Configuring custom domains with Azure Front Door

Question

We have an app that allows customers to use their own custom domain to access their accounts on our app.

Currently, we are using the Azure App Services Custom Domain option & when a user shares their custom domain with us, we manually add it to the Azure Custom Domains list pointing it to their unique account URL. i.e. projects.customerdomain.com (custom domain) to customer1.anywhereapp.io (their account in our product 'Anywhere').

This approach has been working well.

We are now exploring if we can use Azure Front Door to make our app more responsive worldwide & one of the problems we are stuck at is how do we configure the custom domains of our customers to their specific Anywhere accounts?

I've gone through the official Azure FD Custom Domain documentation & I understand it allows us to add the custom domain pointing to one backend, in our case each custom domain also needs to point to a specific subdomain URL. i.e. customer1.anywhereapp.io

How do we achieve this?

Any guidance in the right direction is really appreciated.

Thanks ST

Answer 1

Azure Front Door can forward the request Host header to the backend. So you can configure the custom domain both on Front Door and the App Service using DNS verification.

To do this, following the following steps:

• Go to your App Service

• Go to Custom Domains

• Copy the Custom Domain Verification ID

• Add a new DNS TXT record with the copied value: TXT asuid.projects.customerdomain.com. <verification id>

  

• Go to your Front Door profile

• Setup the Custom Domain as per the instructions on MSDN

• Configure the origin as follows:

  • Name: <any appropriate name>
  • Origin Type: App services
  • Host name: <yourappservice.azurewebsites.net>
  • Origin host header: <blank> <-- leaving this empty will forward the request host header to the backend
  • Certificate subject name validation: Enabled

Now when a request is made to Front Door this same request is passed onto your backend including the custom domain (projects.customerdomain.com). From the perspective of your app service, there's then no difference whether you use Front Door or not.

Answer 2

We've been struggling with this same issue. While Jeremy's solution sounds perfect, we are struggling with figuring out how to make it work when we have multiple app services running an app on the same domain.

For example, we have an app running in 2 separate app services/app service plans. It is the same application code. Let's say the domain is my.website.com

AppServiceEast (say its Azure non-custom domain is appserviceeast.azurewebsites.net) AppServiceWest (say its Azure non-custom domain is appservicewest.azurewebsites.net)

They both run the app.

We've setup the front door pools/rules/etc without problem. However, we are stuck with 1 of 2 problems:

1. If we keep the origin host headers in place, anytime someone goes to my.website.com, their browser shows them ending up at appserviceeast.azurewebsites.net or appservicewest.azurewebsites.net

2. If we take those out, it should just keep passing along my.website.com - but the problem with that is that I can only make ONE of those app services have its custom domain be my.website.com. If I try to make them both work on that domain, I get stuck at the point where I'm trying to create 2 TXT records with different values for the same domain.

It feels like this has to be a common thing to want to do - setup a web app in multiple regions on ONE domain, and have Front Door split traffic between them as we see fit. However, we run into roadblocks at every turn.

Answer 3

Did you ever get this to work?

Struggling with the same thing.

In order to use Azure Front Door certificates for the custom domain the CNAME for the custom domain must point at the Azure Front Door endpoint hostname.

In order to use Azure App Service certificates for the custom domain the CNAME for the custom domain must point at the Azure App Service hostname.

The only way I have found to do this is to create the CNAME for Azure App Services long enough to generate the certificate for the custom domain. Then move the CNAME to Azure Front Door to generate the certificate.

But it's not clear if both services will continue to rotate the certificates if only one of them has all of the required DNS records.

The Azure App Service is running a .NET app that is integrated using Easy Auth with Azure B2C. And if I didn't have both services using custom domains the redirect_uri would be incorrect, that it would reveal the Azure App Services hostname.