Web App IP address for DNS A-record configuration changed without notice

MarkW 21 Reputation points

We noticed that the IP address of our WebApp's custom domain name in Europe West has changed after several years.

This morning our DNS had a different IP than the one listed in the Azure portal. This caused issues with our TLS certificate and it took us quite some time to figure out what was going on.

We weren't informed about this address change. This would have helped us a lot.

Did we miss anything? Is there some sort of mailing list we can subscribe to?

Regards from Germany,

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
5,595 questions
0 comments No comments
{count} votes

Accepted answer
  1. brtrach-MSFT 10,421 Reputation points Microsoft Employee

    @MarkW We apologize for the frustration you encountered with your inbound IP address changing for your web app.

    There have not been any official inbound IP address changes made to our knowledge and our internal alert system. Inbound IP change events are very rare (can only recall 1 in the last seven years) and are communicated many months in advance to customers via portal alerts, emails, and official Microsoft documentation.

    When customers state their inbound IP address has changed, this is normally due to them rotating their IP based SSL certificate improperly. If you delete your old IP SSL binding and then upload your new certificate/bind the new IP SSL certificate, this is improper. When you delete the IP SSL binding, it releases the IP address back into the pool of available addresses for other customers. Your resource can continue using the old IP address so you might not notice the mistake for 1-3 weeks until the IP address is assigned to another Azure service.

    The proper way to rotate certificates is to simply bind the new certificate with the old binding still in place. The Web App will automatically then apply the newer binding. Once this is complete, verify that your site is serving the newer thumbprint before deleting your old certificate.

    1. Upload the new certificate.
    2. Bind the new certificate to the same custom domain without deleting the existing (expiring) certificate. This action replaces the binding instead of removing the existing certificate binding. To do this, navigate to the TLS/SSL settings blade of your App Service and select the Add Binding button.
    3. Delete the existing certificate.

    This limitation is called out here.

    Lastly, we recommend that customers use a CNAME binding as a best practice over using an A-record. Unless you need to hard code IP addresses into your app, most customers do not need an A-record. A-records risk your sites high availability by taking them offline if a certificate/binding is rotated improperly or if there were to be an inbound IP address change in the future (rare) it would require action on your end. For more information on configuring your app via CNAME, please see here.

    Please let us know if you have any further questions or concerns.

0 additional answers

Sort by: Most helpful