Secure a custom DNS name with a TLS/SSL binding in Azure App Service
This article shows you how to secure the custom domain in your App Service app or function app by creating a certificate binding. When you're finished, you can access your App Service app at the
https:// endpoint for your custom DNS name (for example,
Securing a custom domain with a certificate involves two steps:
- Add a private certificate to App Service that satisfies all the private certificate requirements.
- Create a TLS binding to the corresponding custom domain. This second step is covered by this article.
To follow this how-to guide:
- Create an App Service app
- Map a domain name to your app or buy and configure it in Azure
- Add a private certificate to your app
The easiest way to add a private certificate is to create a free App Service managed certificate with your custom domain.
Prepare your web app
To create custom TLS/SSL bindings or enable client certificates for your App Service app, your App Service plan must be in the Basic, Standard, Premium, or Isolated tier. To make sure that your web app is in the supported pricing tier, follow these steps:
Go to your web app
In the Azure portal search box, find and select App Services.
On the App Services page, select your web app's name.
You're now on your web app's management page.
Check the pricing tier
In the left menu for your web app, under the Settings section, select Scale up (App Service plan).
Make sure that your web app isn't in the F1 or D1 tier, which doesn't support custom TLS/SSL.
Your web app's current tier is highlighted by a dark blue box.
If you need to scale up, follow the steps in the next section. Otherwise, close the Scale up page, and skip the Scale up your App Service plan section.
Scale up your App Service plan
Select any non-free tier, such as B1, B2, B3, or any other tier in the Production category. For more options, select See additional options.
When you're done, select Apply.
When the following message appears, the scale operation has completed.
Secure a custom domain
Do the following steps:
In the Azure portal, from the left menu, select App Services > <app-name>.
From the left navigation of your app, start the TLS/SSL Binding dialog by:
- Selecting Custom domains > Add binding
- Selecting TLS/SSL settings > Add TLS/SSL binding
In Custom Domain, select the custom domain you want to add a binding for.
If your app already has a certificate for the selected custom domain, go to Create binding directly. Otherwise, keep going.
Add a certificate for custom domain
If your app has no certificate for the selected custom domain, then you have two options:
- Upload PFX Certificate - Follow the workflow at Upload a private certificate, then select this option here.
- Import App Service Certificate - Follow the workflow at Import an App Service certificate, then select this option here.
Use the following table to help you configure the TLS binding in the TLS/SSL Binding dialog, then click Add Binding.
|Custom domain||The domain name to add the TLS/SSL binding for.|
|Private Certificate Thumbprint||The certificate to bind.|
|TLS/SSL Type||- SNI SSL: Multiple SNI SSL bindings may be added. This option allows multiple TLS/SSL certificates to secure multiple domains on the same IP address. Most modern browsers (including Internet Explorer, Chrome, Firefox, and Opera) support SNI (for more information, see Server Name Indication).
- IP SSL: Only one IP SSL binding may be added. This option allows only one TLS/SSL certificate to secure a dedicated public IP address. After you configure the binding, follow the steps in Remap records for IP SSL.
IP SSL is supported only in Standard tier or above.
Once the operation is complete, the custom domain's TLS/SSL state is changed to Secure.
A Secure state in the Custom domains means that it is secured with a certificate, but App Service doesn't check if the certificate is self-signed or expired, for example, which can also cause browsers to show an error or warning.
Remap records for IP SSL
If you don't use IP SSL in your app, skip to Test HTTPS for your custom domain.
There are two changes you need to make, potentially:
By default, your app uses a shared public IP address. When you bind a certificate with IP SSL, App Service creates a new, dedicated IP address for your app. If you mapped an A record to your app, update your domain registry with this new, dedicated IP address.
Your app's Custom domain page is updated with the new, dedicated IP address. Copy this IP address, then remap the A record to this new IP address.
If you have an SNI SSL binding to
<app-name>.azurewebsites.net, remap any CNAME mapping to point to
sni.<app-name>.azurewebsites.netinstead (add the
In various browsers, browse to
https://<your.custom.domain> to verify that it serves up your app.
Your application code can inspect the protocol via the "x-appservice-proto" header. The header will have a value of
If your app gives you certificate validation errors, you're probably using a self-signed certificate.
If that's not the case, you may have left out intermediate certificates when you export your certificate to the PFX file.
Prevent IP changes
Your inbound IP address can change when you delete a binding, even if that binding is IP SSL. This is especially important when you renew a certificate that's already in an IP SSL binding. To avoid a change in your app's IP address, follow these steps in order:
- Upload the new certificate.
- Bind the new certificate to the custom domain you want without deleting the old one. This action replaces the binding instead of removing the old one.
- Delete the old certificate.
In your app page, in the left navigation, select TLS/SSL settings. Then, in HTTPS Only, select On.
If selected HTTPS Only, Off It means anyone can still access your app using HTTP. You can redirect all HTTP requests to the HTTPS port by selecting On.
When the operation is complete, navigate to any of the HTTP URLs that point to your app. For example:
Enforce TLS versions
In your app page, in the left navigation, select TLS/SSL settings. Then, in TLS version, select the minimum TLS version you want. This setting controls the inbound calls only.
When the operation is complete, your app rejects all connections with lower TLS versions.
Handle TLS termination
In App Service, TLS termination happens at the network load balancers, so all HTTPS requests reach your app as unencrypted HTTP requests. If your app logic needs to check if the user requests are encrypted or not, inspect the
Language specific configuration guides, such as the Linux Node.js configuration guide, shows you how to detect an HTTPS session in your application code.
Automate with scripts
$fqdn="<Replace with your custom domain name>" $pfxPath="<Replace with path to your .PFX file>" $pfxPassword="<Replace with your .PFX password>" $webappname="mywebapp$(Get-Random)" $location="West Europe" # Create a resource group. New-AzResourceGroup -Name $webappname -Location $location # Create an App Service plan in Free tier. New-AzAppServicePlan -Name $webappname -Location $location ` -ResourceGroupName $webappname -Tier Free # Create a web app. $webapp = New-AzWebApp -Name $webappname -Location $location -AppServicePlan $webappname ` -ResourceGroupName $webappname Write-Host "Sign in to your domain provider's website and configure the following records:" Write-Host "A CNAME record that maps $fqdn to $webappname.azurewebsites.net" Write-Host "A TXT record that maps asuid.$fqdn to the domain verification ID $($webapp.CustomDomainVerificationId)" Read-Host "Press [Enter] key when ready ..." # Before continuing, go to your DNS configuration UI for your custom domain and follow the # instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the # hostname "www" and point it your web app's default domain name. # Upgrade App Service plan to Basic tier (minimum required by custom SSL certificates) Set-AzAppServicePlan -Name $webappname -ResourceGroupName $webappname ` -Tier Basic # Add a custom domain name to the web app. Set-AzWebApp -Name $webappname -ResourceGroupName $webappname ` -HostNames @($fqdn,"$webappname.azurewebsites.net") # Upload and bind the SSL certificate to the web app. New-AzWebAppSSLBinding -WebAppName $webappname -ResourceGroupName $webappname -Name $fqdn ` -CertificateFilePath $pfxPath -CertificatePassword $pfxPassword -SslState SniEnabled