Map an existing custom domain to Azure Spring Apps


Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams.

This article applies to: ✔️ Java ✔️ C#

This article applies to: ✔️ Standard ✔️ Enterprise

Domain Name Service (DNS) is a technique for storing network node names throughout a network. This article maps a domain, such as, using a CNAME record. It secures the custom domain with a certificate and shows how to enforce Transport Layer Security (TLS), also known as Secure Sockets Layer (SSL).

Certificates encrypt web traffic. These TLS/SSL certificates can be stored in Azure Key Vault.


  • An Azure subscription. If you don't have a subscription, create a free account before you begin.
  • (Optional) Azure CLI version 2.45.0 or higher. Use the following command to install the Azure Spring Apps extension: az extension add --name spring
  • An application deployed to Azure Spring Apps (see Quickstart: Launch an existing application in Azure Spring Apps using the Azure portal, or use an existing app). If your application is deployed using the Basic plan, be sure to upgrade to the Standard plan.
  • A domain name with access to the DNS registry for a domain provider, such as GoDaddy.
  • A private certificate (that is, your self-signed certificate) from a third-party provider. The certificate must match the domain.
  • A deployed instance of Azure Key Vault. For more information, see About Azure Key Vault.

The IP addresses for Azure Spring Apps management aren't yet part of the Azure Trusted Microsoft services. Therefore, to enable Azure Spring Apps to load certificates from a Key Vault protected with private endpoint connections, you must add the following IP addresses to Azure Key Vault firewall:


Import certificate

Prepare your certificate file in PFX (optional)

Azure Key Vault supports importing private certificate in PEM and PFX format. If the PEM file you obtained from your certificate provider doesn't work in the Save certificate in Key Vault section, follow the steps here to generate a PFX for Azure Key Vault.

Merge intermediate certificates

If your certificate authority gives you multiple certificates in the certificate chain, you need to merge the certificates in order.

To do this task, open each certificate you received in a text editor.

Create a file for the merged certificate, called mergedcertificate.crt. In a text editor, copy the content of each certificate into this file. The order of your certificates should follow the order in the certificate chain, beginning with your certificate and ending with the root certificate. It looks like the following example:

<your entire Base64 encoded SSL certificate>

<The entire Base64 encoded intermediate certificate 1>

<The entire Base64 encoded intermediate certificate 2>

<The entire Base64 encoded root certificate>

Export certificate to PFX

Export your merged TLS/SSL certificate with the private key that your certificate request was generated with.

If you generated your certificate request using OpenSSL, then you have created a private key file. To export your certificate to PFX, run the following command. Replace the placeholders <private-key-file> and <merged-certificate-file> with the paths to your private key and your merged certificate file.

openssl pkcs12 -export -out myserver.pfx -inkey <private-key-file> -in <merged-certificate-file>

When prompted, define an export password. Use this password when uploading your TLS/SSL certificate to Azure Key Vault later.

If you used IIS or Certreq.exe to generate your certificate request, install the certificate to your local machine, and then export the certificate to PFX.

Save certificate in Key Vault

The procedure to import a certificate requires the PEM or PFX encoded file to be on disk and you must have the private key.

Use the following steps to upload your certificate to key vault:

  1. Go to your key vault instance.

  2. In the navigation pane, select Certificates.

  3. On the upper menu, select Generate/import.

  4. On the Create a certificate page, select Import for Method of Certificate Creation, and then provide a value for Certificate Name.

  5. Under Upload Certificate File, navigate to certificate location and select it.

  6. Under Password, if you're uploading a password protected certificate file, provide that password here. Otherwise, leave it blank. Once the certificate file is successfully imported, key vault removes that password.

  7. Select Create.

    Screenshot of the Create a certificate pane.

Grant Azure Spring Apps access to your key vault

You need to grant Azure Spring Apps access to your key vault before you import the certificate.

use the following steps to grant access using the Azure portal:

  1. Go to your key vault instance.
  2. In the navigation pane, select Access policies.
  3. On the upper menu, select Create.
  4. Fill in the info, and select Add button, then Create access police.
Secret permission Certificate permission Select principal
Get, List Get, List Azure Spring Apps Domain-Management


If you don't find the "Azure Spring Apps Domain-Management", search for "Azure Spring Cloud Domain-Management".

Screenshot of the Azure portal showing the Add Access Policy page for a key vault with Get and List selected from Secret permissions and from Certificate permissions.

Screenshot of the Azure portal showing the Create Access Policy page for a key vault with Azure Spring Apps Domain-management selected from the Select a principal dropdown.

Import certificate to Azure Spring Apps

  1. Go to your Azure Spring Apps instance.

  2. From the navigation pane, select TLS/SSL settings.

  3. Select Import key vault certificate.

    Screenshot of the Azure portal showing the TLS/SSL settings page for an Azure Spring Apps instance, with the Import key vault certificate button highlighted.

  4. On the Select certificate from Azure page, select the Subscription, Key Vault, and Certificate from the drop-down options, and then choose Select.

    Screenshot of the Azure portal showing the Select certificate from Azure page.

  5. On the opened Set certificate name page, enter your certificate name, and then select Apply.

  6. When you have successfully imported your certificate, it displays in the list of Private Key Certificates.

    Screenshot of a private key certificate.


To secure a custom domain with this certificate, you still need to bind the certificate to a specific domain. Follow the steps in the Add SSL Binding section.

Add Custom Domain

You can use a CNAME record to map a custom DNS name to Azure Spring Apps.


The A record isn't supported.

Create the CNAME record

Go to your DNS provider and add a CNAME record to map your domain to the <service-name> Here, <service-name> is the name of your Azure Spring Apps instance. We support wildcard domain and sub domain. After you add the CNAME, the DNS records page resembles the following example:

Screenshot of a DNS records page.

Map your custom domain to Azure Spring Apps app

If you don't have an application in Azure Spring Apps, follow the instructions in Quickstart: Deploy your first application to Azure Spring Apps.

Go to application page.

  1. Select Custom Domain.

  2. Then Add Custom Domain.

    Screenshot of a custom domain page.

  3. Type the fully qualified domain name for which you added a CNAME record, such as Make sure that Hostname record type is set to CNAME (<service-name>

  4. Select Validate to enable the Add button.

  5. Select Add.

    Screenshot of the Add custom domain pane.

One app can have multiple domains, but one domain can only map to one app. When you successfully mapped your custom domain to the app, it displays on the custom domain table.

Screenshot of the custom domain table.


A Not Secure label for your custom domain means that it's not yet bound to an SSL certificate. Any HTTPS request from a browser to your custom domain receives an error or warning.

Add SSL binding

In the custom domain table, select Add ssl binding as shown in the previous figure.

  1. Select your Certificate or import it.

  2. Select Save.

    Screenshot of the SSL Binding pane.

After you successfully add SSL binding, the domain state is secure: Healthy.

Screenshot of an SSL binding.

Enforce HTTPS

By default, anyone can still access your app using HTTP, but you can redirect all HTTP requests to the HTTPS port.

In your app page, in the navigation, select Custom Domain. Then, set HTTPS Only to Yes.

Screenshot of an SSL binding with the Https Only option highlighted.

When the operation is complete, navigate to any of the HTTPS URLs that point to your app. Note that HTTP URLs don't work.

Next steps