AppServices_DanglingDomain

Question

AppServices_DanglingDomain

Mike-E-angelo 631

I am getting this warning via Azure Defender and it's a good point. I currently have a subdomain dedicated to an Azure environment, one that is created on demand for testing. When I delete the environment (to save costs) the domain is still registered, and if someone sneaks a peak at the CNAME they could stand up their own Azure AppService and essentially hijack my subdomain. I am basically wanting to save costs by only having the subdomain available when I need it. Is there a way to keep the AppService name reserved for when I do not have it deployed? What is the best practice for my arrangement? If I was able to automate the DNS/CName that would be ideal, but my provider is not Azure -- it's iwantmyname and I am not aware of any automated/API I could use. I would greatly appreciate any suggestions/insight on how I should handle this.

0 comments

Answer accepted by question author

TP 156.8K Volunteer Moderator

Hi Mike,

How about scaling the app service plan to Free tier when you are not using it? Before you can scale it down you would need to remove features not available with Free. For example, say you have a custom domain with certificate binding. Before scaling down you need to delete the binding.

The other thing to note is Azure automatically reserves the name for a certain period of days after you delete the App Service, so if you only have it deleted for a short time there isn't much risk.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Mike-E-angelo 631 Reputation points

2024-01-14T12:18:25.2433333+00:00

Thank you very much for your valuable suggestions, TP! I am feeling bad here as I marked yours as the solution, but upon further research I found the answer (if I understand correctly) that works better for me. I'll still keep your answer here as a solution, but if you could confirm my understanding on my answer I would appreciate that as well. :)
TP 156.8K Reputation points Volunteer Moderator

2024-01-14T12:36:52.3666667+00:00

Your approach seems fine to me. Keep in mind that Azure reserves the name for days after deletion, so if there aren't large gaps between when you delete/recreate there shouldn't be any issues.

The precise duration that it is reserved for isn't documented. Based on one experience I had I would estimate 30 days. People have posted here days/weeks after deleting complaining they are unable to re-create using same name in different tenant (due to name still being reserved). There's no ability to "un-reserve" the name so you have to open support case. Even considering the fact that Azure reserves the name it is a good idea for you to take control and mitigate the risk yourself using technique that works for you.

1 additional answer

Your answer

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Mike-E-angelo 631 Reputation points

2024-01-14T12:18:25.2433333+00:00

Thank you very much for your valuable suggestions, TP! I am feeling bad here as I marked yours as the solution, but upon further research I found the answer (if I understand correctly) that works better for me. I'll still keep your answer here as a solution, but if you could confirm my understanding on my answer I would appreciate that as well. :)
TP 156.8K Reputation points Volunteer Moderator

2024-01-14T12:36:52.3666667+00:00

Your approach seems fine to me. Keep in mind that Azure reserves the name for days after deletion, so if there aren't large gaps between when you delete/recreate there shouldn't be any issues.

The precise duration that it is reserved for isn't documented. Based on one experience I had I would estimate 30 days. People have posted here days/weeks after deleting complaining they are unable to re-create using same name in different tenant (due to name still being reserved). There's no ability to "un-reserve" the name so you have to open support case. Even considering the fact that Azure reserves the name it is a good idea for you to take control and mitigate the risk yourself using technique that works for you.

Answer 1

Mike-E-angelo 631

If I understand correctly, I can indeed host the records on Azure and point namespace servers on iwantmyname to Azure: https://learn.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns?source=recommendations Once this is done I can modify Bicep to remove the CNAME entries from the Azure-hosted DNS (that iwantmyname is pointing to after editing its configuration).

Mike-E-angelo 631 Reputation points

2024-01-27T13:35:40.7433333+00:00

Update: I did understand DNS delegation correctly and got that setup. However, Bicep cannot remove entries and this has to be done by PowerShell

Share via

AppServices_DanglingDomain

1 additional answer

Your answer