Azure Front Door: Deploy custom domain

This Azure CLI script example deploys a custom domain name and TLS certificate on an Azure Front Door front-end. This script demonstrates fully automated provisioning of Azure Front Door with a custom domain name (hosted by Azure DNS) and TLS cert.


This script requires that an Azure DNS public zone already exists for domain name. For a tutorial, see Host your domain in Azure DNS.

If you don't have an Azure subscription, create an Azure free account before you begin.


Sample script

Launch Azure Cloud Shell

The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.

To open the Cloud Shell, just select Try it from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser tab by going to

When Cloud Shell opens, verify that Bash is selected for your environment. Subsequent sessions will use Azure CLI in a Bash environment, Select Copy to copy the blocks of code, paste it into the Cloud Shell, and press Enter to run it.

Sign in to Azure

Cloud Shell is automatically authenticated under the initial account signed-in with. Use the following script to sign in using a different subscription, replacing <Subscription ID> with your Azure Subscription ID. If you don't have an Azure subscription, create an Azure free account before you begin.

subscription="<subscriptionId>" # add subscription here

az account set -s $subscription # ...or use 'az login'

For more information, see set active subscription or log in interactively

Getting started

The script will:

  1. Create a resource group
  2. Create a storage account to host a SPA
  3. Enable SPA hosting on storage account
  4. Upload a "Hello world!" index.html file
  5. Create a Front Door profile
  6. Create a DNS alias for the Apex that resolves to the Front Door
  7. Create a CNAME for the adverify hostname
  8. Create a Front Door front-end endpoint for the custom domain
  9. Add route from custom domain frontend to SPA origin
  10. Add a routing rule to redirect HTTP -> HTTPS
  11. Enable HTTPS with Front Door managed cert

Run the script

To run this script, copy the following code to a .sh file, change the hardcoded variables to your domain values, and then execute the following command to pass these variables into the script AZURE_DNS_ZONE_RESOURCE_GROUP=contoso-rg ./
# Deploy a Custom Domain name and TLS certificate at the apex (root) on an Azure Front Door front-end.

# Change these hardcoded values if required

let "randomIdentifier=$RANDOM*$RANDOM"

# Use resource group environment variable if set
if [ "$RESOURCE_GROUP" == '' ];  





if [ "$AZURE_DNS_ZONE_NAME" == '' ]; 
        echo -e "\033[33mAZURE_DNS_ZONE_NAME environment variable is not set. Front Door will be created but custom frontend will not be configured because custom domain name not provided. Try:\n\n AZURE_DNS_ZONE_RESOURCE_GROUP=contoso-dns-rg ./\n\nSee Readme for details.\033[0m"
        if [ "$AZURE_DNS_ZONE_RESOURCE_GROUP" == '' ]; 
                # write error text
                echo -e "\033[31mAZURE_DNS_ZONE_RESOURCE_GROUP environment variable is not set. Provide the resource group for the Azure DNS Zone. Try:\n\n AZURE_DNS_ZONE_RESOURCE_GROUP=contoso-dns-rg ./\n\nSee Readme for details.\033[0m"
                # write stderr and exit
                >&2 echo "AZURE_DNS_ZONE_RESOURCE_GROUP environment variable is not set."
                exit 1

# Resource group
az group create -n $resourceGroup -l $location --tags $tag

az storage account create -n $storage -g $resourceGroup -l $location --sku Standard_LRS --kind StorageV2

# Make Storage Account a SPA
az storage blob service-properties update --account-name $storage --static-website \
    --index-document 'index.html' --404-document 'index.html' 

# Upload index.html
az storage blob upload --account-name $storage -f ./index.html -c '$web' -n 'index.html' --content-type 'text/html'

# Get the URL to use as the origin URL on the Front Door backend
spaFQUrl=$( az storage account show -n $storage --query 'primaryEndpoints.web' -o tsv )

# Remove 'https://' and trailing '/'
spaUrl=${spaFQUrl/https:\/\//} ; spaUrl=${spaUrl/\//}

frontDoorId=$( az network front-door create -n $frontDoor -g $resourceGroup --tags $tag --accepted-protocols Http Https --backend-address $spaUrl --query 'id' -o tsv )

if [ "$AZURE_DNS_ZONE_NAME" != '' ]; 

    # Apex hostname on
    # Create an Alias DNS recordset
    az network dns record-set a create -n "@" -g $AZURE_DNS_ZONE_RESOURCE_GROUP --zone-name $AZURE_DNS_ZONE_NAME --target-resource $frontDoorId --ttl $ttl

    # Create the domain verify CNAME
    az network dns record-set cname set-record -g $AZURE_DNS_ZONE_RESOURCE_GROUP --zone-name $AZURE_DNS_ZONE_NAME --record-set-name "afdverify" --cname "afdverify.$" --ttl $ttl

    # Create a frontend for the custom domain
    az network front-door frontend-endpoint create --front-door-name $frontDoor --host-name $AZURE_DNS_ZONE_NAME \
        --name $frontDoorFrontEnd -g $resourceGroup --session-affinity-enabled 'Disabled'

    # Update the default routing rule to include the new frontend
    az network front-door routing-rule update --front-door-name $frontDoor -n 'DefaultRoutingRule' -g $resourceGroup \
        --caching 'Enabled' --accepted-protocols 'Https' \
        --frontend-endpoints 'DefaultFrontendEndpoint' $frontDoorFrontEnd

    # Create http redirect to https routing rule
    az network front-door routing-rule create -f $frontDoor -g $resourceGroup -n 'httpRedirect' \
        --frontend-endpoints $frontDoorFrontEnd --accepted-protocols 'Http' --route-type 'Redirect' \
        --patterns '/*' --redirect-protocol 'HttpsOnly'

    # Update the default routing rule to include the new frontend
    az network front-door routing-rule update --front-door-name $frontDoor -n 'DefaultRoutingRule' -g $resourceGroup \
        --caching 'Enabled' --frontend-endpoints 'DefaultFrontendEndpoint' $frontDoorFrontEnd

    # Enable HTTPS. This command will return quickly but provisioning can take up to an hour to complete
    az network front-door frontend-endpoint enable-https \
        --front-door-name $frontDoor -n $frontDoorFrontEnd -g $resourceGroup

Clean up resources

Use the following command to remove the resource group and all resources associated with it using the az group delete command - unless you have an ongoing need for these resources. Some of these resources may take a while to create, as well as to delete.

az group delete --name $resourceGroup

Sample reference

This script uses the following commands. Each command in the table links to command-specific documentation.

Command Description
az group create Creates a resource group in which all resources are stored..
az storage account create Creates an Azure Storage account in the specified resource group.
az storage blob service-properties update Update storage blob service properties.
az storage blob upload Sets system properties on the blob.
az storage account show Show storage account properties.
az network front-door create Create a Front Door.
az network dns record-set Manage DNS records and record sets.
az network front-door Manage Front Doors.

Next steps

For more information on Azure CLI, see Azure CLI documentation.