Configure a custom domain for Azure Web PubSub Service
In addition to the default domain provided by the Azure Web PubSub Service, you can also add a custom domain. A custom domain is a domain name that you own and manage. You can use a custom domain to access your Azure Web PubSub Service resource. For example, you can use contoso.example.com instead of contoso.webpubsub.azure.com to access your Azure Web PubSub Service resource.
Prerequisites
- An Azure account with an active subscription. If you don't have an Azure account, you can create an account for free.
- An Azure Web PubSub service (must be Premium tier).
- An Azure Key Vault resource.
- A custom certificate matching custom domain that is stored in Azure Key Vault.
Add a custom certificate
Before you can add a custom domain, you need to add a matching custom certificate first. A custom certificate is a resource of your Azure Web PubSub Service. It references a certificate in your Azure Key Vault. For security and compliance reasons, Azure Web PubSub Service doesn't permanently store your certificate. Instead it fetches it from your Key Vault on the fly and keeps it in memory.
Step 1: Grant your Azure Web PubSub Service resource access to Key Vault
Azure Web PubSub Service uses Managed Identity to access your Key Vault. In order to authorize, it needs to be granted permissions.
In the Azure portal, go to your Azure Web PubSub Service resource.
In the menu pane, select Identity.
You can select System assigned or User assigned identity. If you want to use User assigned identity, you need to create one first.
To add a System assigned identity
- Select On.
- Select Yes to confirm.
- Select Save.
To add a User assigned identity;
- Select Add user assigned managed identity.
- Select an existing identity.
- Select Add.
Select Save.
Depending on how you configure your Key Vault permission model, you may need to grant permissions at different places.
If you're using Key Vault built-in access policy as Key Vault permission model:
Go to your Key Vault resource.
In the menu pane, select Access configuration.
Select Vault access policy.
Select Go to access policies.
Select Create.
Select Secret Get permission.
Select Certificate Get permission.
Select Next.
Search for the Azure Web PubSub Service resource name.
Select Next.
Select Next on the Application tab.
Select Create.
Step 2: Create a custom certificate
In the Azure portal, go to your Azure Web PubSub Service resource.
In the menu pane, select Custom domain.
In the Custom certificate section, select Add.
Fill in a name for the custom certificate.
Select Select from your Key Vault to choose a Key Vault certificate. After selection the following Key Vault Base URI, the Key Vault Secret Name will be automatically filled in. Alternatively you can also fill in these fields manually.
Optionally, you can specify a Key Vault Secret Version if you want to pin the certificate to a specific version.
Select Add.
Azure Web PubSub Service fetches the certificate and validates its contents. When it succeeds, the certificate's Provisioning State will be Succeeded.
Create a custom domain CNAME
To validate the ownership of your custom domain, you need to create a CNAME record for the custom domain and point it to the default domain of Azure Web PubSub Service.
For example, if your default domain is contoso.webpubsub.azure.com, and your custom domain is contoso.example.com, you need to create a CNAME record on example.com like:
contoso.example.com. 0 IN CNAME contoso.webpubsub.azure.com.
If you're using Azure DNS Zone, see manage DNS records to learn how to add a CNAME record.
If you're using other DNS providers, follow provider's guide to create a CNAME record.
Add a custom domain
A custom domain is another sub resource of your Azure Web PubSub Service. It contains all configurations for a custom domain.
In the Azure portal, go to your Azure Web PubSub Service resource.
In the menu pane, select Custom domain.
Under Custom domain, select Add.
Enter a name for the custom domain. It's the sub resource name.
Enter the domain name. It's the full domain name of your custom domain, for example,
contoso.com.Select a custom certificate that applies to this custom domain.
Select Add.
Verify a custom domain
You can now access your Azure Web PubSub Service endpoint via the custom domain. To verify it, you can access the health API.
Here's an example using cURL:
PS C:\> curl.exe -v https://contoso.example.com/api/health
...
> GET /api/health HTTP/1.1
> Host: contoso.example.com
< HTTP/1.1 200 OK
...
PS C:\>
The health API should return 200 status code without any certificate error.
Key Vault in private network
If you've configured a Private Endpoint to your Key Vault, Azure Web PubSub Service can't access the Key Vault via public network. You need to set up a shared private endpoint to let Azure Web PubSub Service access your Key Vault via private network.
After you create a shared private endpoint, you can create a custom certificate as usual. You don't have to change the domain in Key Vault URI. For example, if your Key Vault base URI is https://contoso.vault.azure.net, you still use this URI to configure custom certificate.
You don't have to explicitly allow Azure Web PubSub Service IPs in Key Vault firewall settings. For more info, see Key Vault private link diagnostics.
Certificate rotation
If you don't specify a secret version when creating custom certificate, Azure Web PubSub Service periodically checks latest version in Key Vault. When a new version is observed, it's automatically applied. The delay is usually within 1 hour.
Alternatively, you can also pin custom certificate to a specific secret version in Key Vault. When you need to apply a new certificate, you can edit the secret version and then update custom certificate proactively.
Next steps
Feedback
Submit and view feedback for