This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
Hi,
I am a beginner using Azure. Have set up an App Service WordPress site with custom domain. Need to set up and try out Classic Front Door (add it and configure it) to integrate with this already running WordPress App Service so that I can add access restrict rules to prevent direct access to content on the backend. Possibly WAF also, although since Classic Front Door will double my monthly costs, and may not once added and configured achieve the needed result, may wait on adding WAF (which will triple monthly costs) until after checking first on Classic Front Door results.
Have found the location in my portal to add and begin to configure Classic Front Door but, as a beginner, I am not sure what to enter into the fields to integrate with my current App Service WordPress? Some ideas here, but still not sure: https://gunnarpeipman.com/wordpress-azure-front-door/
Hoping not to make a "mess" that then needs to be unraveled, canceled and redone. Or worse yet, corrupts the App Service WordPress site.
Wondered if at my Basic subscription level if there is a Microsoft/Azure tech support engineer to walk me through the addition, set-up and configuration with my WordPress App Service? This would be a big help.
Any help or suggestions much appreciated.
Thank you in advance.
Hello @Stephen Wartel !
These are correct steps for you :
https://blog.baeke.info/2019/11/29/front-door-with-wordpress-on-azure-app-service/
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards
This blog entry looked very promising! Thank you.
Unfortunately, the link is to more of an outline than a sufficiently detailed solution. I am unable to figure out what frontend and backend URL (s) to enter in the Classic Front Door set-up boxes, how to re-verify my custom domain name (purchased within Azure and already in use for this App Service), specifically how to then set up a new DNS CNAME to verify, and more. I wrote an email to the blog's author for more details, but have not yet heard back.
So, I have re-opened the last support ticket in which the support engineer suggested adding Classic Front Door in the hope of getting more detailed help to add/integrate this service, get it configured, including access restriction rules for my App Service (WordPress). Have not yet heard back from a support engineer to help with the re-opened support case.
Hello @Stephen Wartel !
I will try my best to provide a step by step !
Let me find some time to do that !
Regards
Thank you for your kind and generous help. Please see my answer below for an update.
Thank you again for this kind and generous help.
After doing the cost estimates, I have decided to add Standard Front Door, since it may be more cost effective in the long run.
I am trying to set it up now, with some help, and am trying to sort some conflicts in the access rule to get the front door URL to redirect to my custom domain (for Azure App Service WordPress). So far, the only way to now access my App Service WordPress is by entering the frontdoor.mydomain.com. What I need to achieve is for the user to simply enter the mydomain.com and be able to get to the site. I have also noticed that, after getting to the site using the frontdoor.mydomain.com entry point, navigating within the WordPress site is not working. It appears that the site's pages except the front page are still pointing at the Azure original App Service URL (xxxxxxx.azurewebsites.net). A bit of a "mess" to sort out.
I am going to do some more reading, experimenting, see if I can track down any configuration problems with my setup and try to fix them. The goal is for the end user to use my custom domain's URL and get to the WordPress site, be able to navigate around, as needed, plus restrict access to the sites backend unless navigating through the frontend (and not by copy and pasting backend URL's directly into a browser address bar.
Thank you for the suggested references.
Practices for WordPress Azure.pdfHello @Stephen Wartel !
Here you are! Fresh out of @Jonathan Vella !
I think this contains the info you need!
Kindly let us know your thoughts !
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards
Hello @Stephen Wartel !
Please have a look :,
Practices for WordPress Azure.pdf
Hello @Stephen Wartel !
Here you are! Fresh out of @Jonathan Vella !
I think this contains the info you need!
Kindly let us know your thoughts !
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
Hello @Stephen Wartel ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know how to add/configure a Classic Azure Front Door in front of Azure App Service (WordPress) which is setup with a custom domain and add access restrict rules to prevent direct access to content on the backend by using WAF.
If you are using WordPress on App Service offering from Azure Marketplace, then it supports Azure Front Door Integration, but I believe it only provides 2 SKU choices of AFD : Standard and Premium.
https://learn.microsoft.com/en-us/azure/app-service/quickstart-wordpress
But since you mentioned you would like to use Classic Azure Front Door, you can manually create a Front Door and add the app service in it's backend.
You can follow the below doc or this blog for the configuration:
https://learn.microsoft.com/en-us/azure/frontdoor/quickstart-create-front-door
Note: The above doc shows how to add 2 webapps but you can just one in the same way.
Azure recommends that you preserve the original HTTP host name when you use a reverse proxy in front of a web application. Having a different host name at the reverse proxy than the one that's provided to the back-end application server can lead to cookies or redirect URLs that don't work properly.
So, when you use an App service with custom domain behind the Azure Front Door, you can avoid overriding the host name by leaving the back-end host header blank in the back-end pool definition as below:
You can also add a custom domain to your Azure Front Door, if needed.
Refer: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain
Now, coming to your requirement of restricting the application by using Azure Front Door and Azure Web Application Firewall (WAF), you can refer the below doc:
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-waf
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Still trying various options: no success. I wonder if there is a simpler way? I have a custom domain already set up (purchased through Azure) and being used with my App Service. I have now added it as a Front Door custom domain using an APEX DNS record, validated.
Already have set up an access restriction in Front Door-only allow access to the App Service (WordPress site) using Front Door.
Then an App Service Rule Engine rule?
Stuck writing the correct Rule Engine condition and action to get this working. Tried several options, no success. Maybe not configuring syntax correctly. Goal: re-write Front Door URL (or request URL) with custom domain URL (www.mycustomdomain.com). User enters www.mycustomdomain.com and hopefully gets to WordPress site. If user copies and directly enters CDN backend URL, goes to 403.
So far, when testing, cannot get Front Door custom domain (www.mycustomdomain.com) to navigate to WordPress site. Only frontdoor.mycustomdomain.com (set up when Front Door Standard was initially set up) navigates to WordPress site.
Not sure if this can work? How to do this correctly?
Would appreciate any help regarding this.
Much thanks.
Hello @Stephen Wartel ,
Could you please share the screenshot of the custom domain page on your Azure Front Door?
I'm assuming you used the below doc to configure the custom domain on your Azure Front Door:
If yes, did you check the below note?
When placing service like an Azure Web App behind Azure Front Door, you need to configure the web app with the same domain name as the root domain in Front Door. You also need to configure the backend host header with that domain name to prevent a redirect loop.
Is your webapp configured with the root domain as well?
Refer: https://learn.microsoft.com/en-us/azure/app-service/manage-custom-dns-buy-domain
To configure your webapp to block traffic that hasn't been sent through Front Door, you need to follow one of the approaches documented in the below article:
Specific to App service:
Regards,
Gita
Hi Gita,
Had reopened my recently closed support ticket, had then gotten some help from a support engineer to set up Front Door Standard. As I went back over the setup after reading your latest comment above, does not appear that what you recommended was actually done.
So, I went back over each relevant item in your comment and following your suggestions and the articles referenced, carefully followed these instructions, redid the configurations. Now have the original custom domain (changed to un-associated) and a new, correctly setup custom domain including as apex. See screenshot attached. When I tried after waiting about 30 minutes to navigate using the new apex custom domain, got: "Request cannot be served". So not yet working.
Second time, after waiting some more got 403, then a third time, was very slow loading and eventually I think would have again gotten to "Request cannot be served".
So not yet working.
I am not sure what else I can do. If you wish to use the current open support ticket to have a support engineer join, possibly this could help. I can send a PM if you need the support ticket number.
I think I must still be doing something wrong, but with your help provided in the above comment I hopefully have made progress. Still need some help to complete the fix and get the Front Door Standard working successfully in front of the App Service. Thank you.
Hello @Stephen Wartel , could you please provide the complete error message that you are receiving along with "Request cannot be served"?
Also, could you please confirm if your webapp is configured with the root/apex domain as well?
Refer: https://learn.microsoft.com/en-us/azure/app-service/manage-custom-dns-buy-domain
And what have you added in the backend/origin host header in the Origin/backend pool of your Azure Front Door?
Regards,
Gita
Hi Gita,
Decided for now to delete Front Door Standard, revert any settings to before installing it. I did check that the web app was configured with the root domain. It is. The "Request cannot be served" is no longer available to view, copy the error message and provide it to you (see below).
I have escalated the open support ticket with help from MS, and asking for a support engineer with expertise in Front Door to join the case, help walk me through a new Front Door Standard setup that integrates with my App Service (WordPress), then set up the access restriction (to the App Service's backend) needed. I am waiting for this now.
I had tried to fix the setup, following carefully your suggested resources above (double- and triple- checking each entry), but, as mentioned had been unable to get this to work. I deleted the Front Door for now since I need, while waiting for additional Front Door help, to again be able to access and edit content in my App Service WordPress site (my access was blocked past week by the incorrectly configured Front Door setup).
Please let me know if you need the support case for any input to it, and I will send it via PM.
Hello @Stephen Wartel , sure, please send an email with subject line "ATTN gishar | Azure App Service (WordPress): how to add/configure Classic Front Door" to AzCommunity[at]Microsoft[dot]com with the following details, I will follow-up with you.
Note: Do not share any PII data as a public comment.
We will post a summarized answer once the issue is resolved.
Apologies for not responding sooner, but even though I am following this thread, I don't receive notifications for newly added postings.
I have been working with a AFD support engineer after re-opening my support case. We have made progress, and will again connect (via Teams/screen sharing) 7/26/23. AFD Standard is set up and working with an Apex custom domain (mycustomdomain.com, purchased directly through Azure), but not set up with the Apex domain's "www" version, making user access difficult.
We are trying to add www.mycustomdomain.com to AFD (easier for users to navigate to), but so far have not been able to do this because that custom domain is already being used by and bound to my App Service.
Looks like I would need to unbind (?) or delete(?) the custom domain from my App Service, before being able to (hopefully) re-use it with AFD? Do not want to delete and lose this custom domain.
Support engineer is trying to find out from App Service support engineer if we can safely unbind/delete the custom domain from the App Service and still have it available to add as a custom domain to AFD.
Will update.
Best Wishes,
Thank you for the update, @Stephen Wartel .
Could you please share your ongoing support case number via email to us as requested above. So, that I can also track it from my end and see if I can share some additional inputs?
Regards,
Gita
Update:
With AFD Standard installed for the App Service (WordPress), was able to add the custom domain and subdomain (www) to AFD. However, since the custom domain and subdomain were already in use for the App Service, reusing/adding them to AFD required first to remove them from the App Service, re-do the DNS records. A problem arose in doing this that ended up breaking the site. Specifically, the host for the App Service's CDN backend was the www subdomain.
The support advice was to simply remove the subdomain and thereby the CDN to free up the www subdomain to be able to add it to AFD.
Once done, the website was able to correctly arrive by using the correct URL (custom domain or custom subdomain) but, for unexplained reasons all of the site's assets/resources remained connected to the azureedge.net CDN URL, and so would not load. For example, the WordPress page CSS and all plugins failed to load=site broken.
Was able to fix the site by reversing the processes: recreated the DNS records, CDN backend and deleted the AFD and WAF.
Not sure why, after the AFD installation, CDN backend deletion, re-using of the custom domain and custom subdomain, why the site's assets/resources remained pointed at a then non-existent CDN backend? (Had first unsuccessfully tried a URL redirect rule: if CDN URL, then redirect to AFD URL--no joy).
The WordPress install is from the Azure marketplace: the Microsoft developed version, which is automatically created as a new App Service once you agree to install it. I wonder if somehow when first automatically installed, with CDN selected, there is no easy way to remap the CDN URL (assets/resources) to a later-installed AFD URL?
I could reinstall AFD Standard and again re-use the custom domain and subdomain by first releasing these from the CDN, but if no solution can be developed to change the CDN URL from azureedge.net to the AFD's URL for all assets/resources, this will likely break the site again.
I suspect that an answer may be here (I have the W3 Total Cache plugin in use) and here but I am not sure how to use this information in my configuration?
Is there any way to do this?
Hello @Stephen Wartel ,
Since you mentioned “W3 Total Cache plugin in use” I believe CDN was enabled along with the WordPress site.
Looking at the backend of your subscription, I see a CDN endpoint, whose details I've shared with you over email.
Not sure if you created it manually or it was automatically created. Could you please confirm if it was created by you manually?
Also, I couldn’t find any Azure Front Door resource in your subscription. I believe you’ve deleted it.
If the mentioned CDN endpoint was enabled during WordPress installation and the custom domain was mapped to your WordPress site, then it could be an issue of dangling DNS entries as mentioned in the below doc:
Tutorial: Add a custom domain to your endpoint - Azure Content Delivery Network | Microsoft Learn
I would request you to use the Get-DanglingDNSRecords tool mentioned in the below doc and try to identify if there are any existing dangling DNS entries for your subscription:
If you find any, please remove them and then delete the custom domain and CDN endpoint (in case it was created automatically).
Post this, you can try adding an AFD manually.
Regards,
GIta
Having much difficulty getting AFD correctly configured, decided to try AFD Classic. I found it much easier to set up and correctly configure.
Added a single rule and was able, using AFD Classic, to achieve the needed access restriction.
Thank you for your kind help.
Thank you for the update, @Stephen Wartel .
Glad to hear that you were able to configure AFD Classic and achieve the needed access restriction.
I will contact you offline to understand why AFD Standard didn't work.
Regards,
Gita