Čitajte na engleskom Uređivanje

Dijeli putem

Custom domain names and bring your own certificates in Azure Container Apps

  • Članak
Select how you want to interact with Azure

Azure Container Apps allows you to bind one or more custom domains to a container app.

  • Every domain name must be associated with a TLS/SSL certificate. You can upload your own certificate or use a free managed certificate.
  • Certificates are applied to the container app environment and are bound to individual container apps. You must have role-based access to the environment to add certificates.
  • SNI (Server Name Identification) domain certificates are required.
  • Ingress must be enabled for the container app.

Napomena

If you configure a custom environment DNS (Domain Name System) suffix, you can't add a custom domain that contains this suffix to your Container App.

Add a custom domain and certificate

Važno

If you're using a new certificate, you must have an existing SNI domain certificate file available to upload to Azure.

  1. Navigate to your container app in the Azure portal

  2. Verify that your app has ingress enabled by selecting Ingress in the Settings section. If ingress isn't enabled, enable it with these steps:

    1. Set HTTP Ingress to Enabled.
    2. Select the desired Ingress traffic setting.
    3. Enter the Target port.
    4. Select Save.

  3. Under the Settings section, select Custom domains.

  4. Select the Add custom domain button.

  5. In the Add custom domain and certificate window, in TLS/SSL certificate, select Bring your own certificate.

  6. In domain, enter the domain you want to add.

  7. Select Add a certificate.

  8. In the Add certificate window, in Certificate name, enter a name for this certificate.

  9. In Certificate file section, browse for the certificate file you want to upload.

  10. Select Validate.

  11. Once validation succeeds, select Add.

  12. In the Add custom domain and certificate window, in Certificate, select the certificate you just added.

  13. Select the Hostname record type based on the type of your domain.

    Domain type Record type Notes
    Apex domain A record An apex domain is a domain at the root level of your domain. For example, if your DNS (Domain Name System) zone is contoso.com, then contoso.com is the apex domain.
    Subdomain CNAME A subdomain is a domain that is part of another domain. For example, if your DNS zone is contoso.com, then www.contoso.com is an example of a subdomain that can be configured in the zone.

  14. Using the DNS provider that is hosting your domain, create DNS records based on the Hostname record type you selected using the values shown in the Domain validation section. The records point the domain to your container app and verify that you own it. The setup depends on whether you're using custom domains with the private endpoint (preview) feature:

    • If you selected A record, create the following DNS records:

      Record type Host Value
      A @ The IP address of your Container Apps environment.
      TXT asuid The domain verification code.

    • If you selected CNAME, create the following DNS records:

      Record type Host Value
      CNAME The subdomain (for example, www) The generated domain of your container app.
      TXT asuid. followed by the subdomain (for example, asuid.www) The domain verification code.

  15. Select the Validate button.

  16. Once validation succeeds, select the Add button.

  17. Once the operation is complete, you see your domain name in the list of custom domains with a status of Secured. Navigate to your domain to verify that it's accessible.

Napomena

For container apps in internal Container Apps environments, extra configuration is required to use custom domains with VNET-scope ingress.

Container Apps supports apex domains and subdomains. Each domain type requires a different DNS record type and validation method.

Domain type Record type Validation method Notes
Apex domain A record HTTP An apex domain is a domain at the root level of your domain. For example, if your DNS zone is contoso.com, then contoso.com is the apex domain.
Subdomain CNAME CNAME A subdomain is a domain that is part of another domain. For example, if your DNS zone is contoso.com, then www.contoso.com is an example of a subdomain that can be configured in the zone.

  1. Log in to Azure with the Azure CLI.

    Azure CLI 
    az login

  2. Next, install the Azure Container Apps extension for the CLI.

    Azure CLI 
    az extension add --name containerapp --upgrade

  3. Set the following environment variables. Replace the <PLACEHOLDERS> with your values.

    Azure CLI 
    RESOURCE_GROUP = "<RESOURCE_GROUP>"
CONTAINER_APP = "<CONTAINER_APP>"
ENVIRONMENT = "<ENVIRONMENT>"
TARGET_PORT = "<TARGET_PORT>"
DOMAIN_NAME = "<DOMAIN_NAME>"
CERTIFICATE_LOWERCASE_NAME = "<CERTIFICATE_LOWERCASE_NAME>"
CERTIFICATE_LOCAL_PATH = "<CERTIFICATE_LOCAL_PATH>"
CERTIFICATE_PASSWORD = "<CERTIFICATE_PASSWORD>"
    • Replace <CERTIFICATE_LOCAL_PATH> with the local path of your certificate file.
    • Replace <CERTIFICATE_LOWERCASE_NAME> with a lowercase certificate name that is unique within the environment.
    • Replace <TARGET_PORT> with the port that your container app is listening on.

  4. Verify that your container app has HTTP ingress enabled.

    Azure CLI 
    az containerapp ingress show \
    -n $CONTAINER_APP \
    -g $RESOURCE_GROUP

    If ingress isn't enabled, enable it with these steps:

    Azure CLI 
    az containerapp ingress enable \
    -n $CONTAINER_APP \
    -g $RESOURCE_GROUP \
    --type external \
    --target-port $TARGET_PORT \
    --transport auto

  5. If you're configuring an apex domain, get the IP address of your Container Apps environment.

    Azure CLI 
    az containerapp env show \
    -n $ENVIRONMENT \
    -g $RESOURCE_GROUP \
    -o tsv \
    --query "properties.staticIp"

  6. If you're configuring a subdomain, get the automatically generated domain of your container app.

    Azure CLI 
    az containerapp show \
    -n $CONTAINER_APP \
    -g $RESOURCE_GROUP \
    -o tsv \
    --query "properties.configuration.ingress.fqdn"

  7. Get the domain verification code.

    Azure CLI 
    az containerapp show \
    -n $CONTAINER_APP \
    -g $RESOURCE_GROUP \
    -o tsv \
    --query "properties.customDomainVerificationId"

  8. Using the DNS provider that is hosting your domain, create DNS records based on the record type you selected using the values shown in the Domain validation section. The records point the domain to your container app and verify that you own it. The setup depends on whether you're using custom domains with the private endpoint (preview) feature:

    • If you selected A record, create the following DNS records:

      Record type Host Value
      A @ The IP address of your Container Apps environment.
      TXT asuid The domain verification code.

    • If you selected CNAME, create the following DNS records:

      Record type Host Value
      CNAME The subdomain (for example, www) The generated domain of your container app.
      TXT asuid. followed by the subdomain (for example, asuid.www) The domain verification code.

  9. Upload the certificate to your environment.

    Azure CLI 
    az containerapp env certificate upload \
    -g $RESOURCE_GROUP \
    --name $ENVIRONMENT \
    --certificate-file $CERTIFICATE_LOCAL_PATH \
    --password $CERTIFICATE_PASSWORD \
    --certificate-name $CERTIFICATE_LOWERCASE_NAME

  10. Bind the certificate and domain to your container app.

    Azure CLI 
    az containerapp hostname bind \
    --hostname $DOMAIN_NAME \
    -g $RESOURCE_GROUP \
    -n $CONTAINER_APP \
    --environment $ENVIRONMENT \
    --certificate $CERTIFICATE_LOWERCASE_NAME \
    --validation-method <VALIDATION_METHOD>

    • If you're configuring an A record, replace <VALIDATION_METHOD> with HTTP.

    • If you're configuring a CNAME, replace <VALIDATION_METHOD> with CNAME.

    It might take several minutes to issue the certificate and add the domain to your container app.

  11. Once the operation is complete, navigate to your domain to verify that it's accessible.

Managing certificates

You can manage certificates via the Container Apps environment or through an individual container app.

Environment

The Certificates window of the Container Apps environment presents a table of all the certificates associated with the environment.

You can manage your certificates through the following actions:

Action Description
Add Select the Add certificate link to add a new certificate.
Delete Select the trash can icon to remove a certificate.
Renew The Health status field of the table indicates that a certificate is expiring soon within 60 days of the expiration date. To renew a certificate, select the Renew certificate link to upload a new certificate.

Container app

The Custom domains window of the container app presents a list of custom domains associated with the container app.

You can manage your certificates for an individual domain name by selecting the ellipsis (...) button, which opens the certificate binding window. From the following window, you can select a certificate to bind to the selected domain name.

Next steps

Authentication in Azure Container Apps