Associating a custom domain name and securing communication with Azure

What does this guide do?

Discusses the following topics:

  • How to associate a custom domain name, such as contoso.com, with your Azure Cloud Service or Web Apps in Azure App Service in order to provide a more recognizable domain name for your users.
  • How to associate your custom domain or Azure web app with the *.trafficmanager.net domain name if you enable traffic manager for your Azure web app.
  • How to secure communication (SSL) with your Azure web app or an application (SSL) in Azure Cloud Service.

Who is it for?

Users of third party domain name services who want to associate their domain names with Azure Cloud Service or Azure Web Apps, or users who want to make communication and application secure with their Azure Web Apps or Azure Cloud Service.

How does it work?

We’ll begin by asking you the task you want to do. For custom domain association, we’ll let you choose the domain registrar to proceed with detailed step-by step instructions. For securing Azure communication, we’ll take you through a series of steps that are specific to your situation.

Estimated time of completion:

30-60 minutes.

Welcome to this guide

Prerequisite knowledge

This guide assumes that you have background knowledge of DNS records. It also assumes that if you are using Azure web apps, you have a basic understanding of Azure App Service plan (Free, Shared, Basic, Standard and Premium). If you have questions about any of these areas, click the "Go to the Prerequisite knowledge page" option at the end of the page.

What do you want to do?

Welcome to this guide

Prerequisite knowledge

This guide assumes that you have background knowledge of DNS records. It also assumes that if you are using Azure web apps, you have a basic understanding of Azure App Service plan (Free, Shared, Basic, Standard and Premium). If you have questions about any of these areas, click the "Go to the Prerequisite knowledge page" option at the end of the page.

What do you want to do?

Associate a custom domain name for an Azure web app

When you create a web app, Microsoft Azure provides a friendly subdomain on the azurewebsites.net domain so your users can access your Azure web app using a URL like http://<mywebapp>.azurewebsites.net. You can also associate a custom domain name purchased from your domain registrar, such as contoso.com, with your Azure web app in order to provide a more recognizable domain name for your users.

Note Custom domain names cannot be used with Free Azure web apps. You must configure your Azure App Service plan to use Shared, Basic, Standard, or Premium, which may change how much you are billed for your subscription. See App Service Pricing Details for more information. 

Here is a video that shows generally how to hook up a custom CNAME DNS Record to an Azure web app and how long it takes for DNS to propagate.

Asset not found

To learn how the association works for a custom domain name from a specific domain registrar, select your domain registrar to proceed.

Prerequisite knowledge

Understanding DNS records

About DNS records

The Domain Name System (DNS) is used to locate resources on the internet. For example, when you enter a web site address in your browser, or click a link on a web page, it uses DNS to translate the domain into an IP address. The IP address is sort of like a street address, but it's not very human friendly. For example, it is much easier to remember a DNS name like contoso.com than it is to remember an IP address such as 192.168.1.88 or 2001:0:4137:1f67:24a2:3888:9cce:fea3.

The DNS system is based on records. Records associate a specific name, such as contoso.com, with either an IP address or another DNS name. When an application, such as a web browser, looks up a name in DNS, it finds the record, and uses whatever it points to as the address. If the value it points to is an IP address, the browser will use that value. If it points to another DNS name, then the application has to do resolution again. Ultimately, all name resolution will end in an IP address.

When you create an Azure web app, a DNS name is automatically assigned to the web app. This name takes the form of <yourwebappname>.azurewebsites.net.

Information for Azure Web Apps

When you create an Azure web app, a DNS name is automatically assigned to the web app. This name takes the form of <yourwebappname>.azurewebsites.net

There is also a virtual IP address available for use when creating DNS records, so you can either create records that point to the .azurewebsites.net, or you can point to the IP address. 

Note The IP address of your Azure web app will change if you delete and recreate your Azure web app, or change the Azure App Service plan to free after it has been set to Basic, Shared, Standard, or Premium.

There are also multiple types of records, each with their own functions and limitations, but for Azure web apps we only care about two; A and CNAME records. 

Information for Azure Web Apps that use Traffic Manager

When you add your Azure web app as an Azure Traffic Manager endpoint, your web app is then accessible through the <yourtrafficmanagerprofile>.trafficmanager.net domain. 

Note When your Azure web app is configured as a Traffic Manager endpoint, you will use the .trafficmanager.net address when creating DNS records. You can only use CNAME records with Traffic Manager. 

There are also multiple types of records, each with their own functions and limitations, but for Azure web apps configured to as Traffic Manager endpoints, we only care about one; CNAME record.

CNAME or Alias record

A CNAME record maps a specific DNS name, such as mail.contoso.com or www.contoso.com, to another (canonical) domain name.

Information for Azure Web Apps

In the case of Azure Web Apps, the canonical domain name is the <mywebapp>.azurewebsites.net domain name of your web app. Once created, the CNAME creates an alias for the <mywebapp>.azurewebsites.net domain name. The CNAME entry will resolve to the IP address of your <mywebapp>.azurewebsites.net domain name automatically.

Information for Azure Web Apps that use Traffic Manager

In the case of Azure web apps using Traffic Manager, the canonical domain name is the <mywebapp>.trafficmanager.net domain name of your Traffic Manager profile. Once created, the CNAME creates an alias for the <mywebapp>.trafficmanager.net domain name. The CNAME entry will resolve to the IP address of your <mywebapp>.trafficmanager.net domain name automatically. If the IP address of the web app changes, you do not have to take any action.

Once traffic arrives at Traffic Manager, it then routes the traffic to your web app, using the load balancing method it is configured for. This is completely transparent to visitors to your web app. They will only see the custom domain name in their browser. If the IP address of the web app changes, you do not have to take any action.

Information for Azure Cloud Services

In the case of Azure Cloud Services, the canonical domain name is the <myapp>.cloudapp.net domain name of your Azure hosted application. Once created, the CNAME creates an alias for the <myapp>.cloudapp.net. The CNAME entry will resolve to the IP address of your <myapp>.cloudapp.net service automatically, so if the IP address of the cloud service changes, you do not have to take any action.

Note Some domain registrars only allow you to map subdomains when using a CNAME record, such as www.contoso.com, and not root names, such as contoso.com. For more information on CNAME records, see the documentation provided by your registrar, the Wikipedia entry on CNAME record, or the IETF Domain Names - Implementation and Specification document. 

A record

Information for Azure Web Apps

An A record maps a domain, such as contoso.com or www.contoso.com, or a wildcard domain such as *.contoso.com, to an IP address. In the case of an Azure web app, either the virtual IP of the service or a specific IP address that you purchased for your web app. 

The main benefits of an A record over a CNAME record are:

  • You can map a root domain such as contoso.com to an IP address; many registrars only allow this using A records.
  • You can have one entry that uses a wildcard, such as *.contoso.com, which would handle requests for multiple sub-domains such as mail.contoso.com, blogs.contoso.com, or www.contso.com

Note Since an A record is mapped to a static IP address, it cannot automatically resolve changes to the IP address of your Azure web app. An IP address for use with A records is provided when you configure custom domain name settings for your Azure web app; however, this value may change if you delete and recreate your Azure web app or change the Azure web app mode to back to Free.

Information for Azure Cloud Services

An A record maps a domain, such as contoso.com or www.contoso.com, or a wildcard domain such as *.contoso.com, to an IP address. In the case of an Azure Cloud Service, the virtual IP of the service. So the main benefit of an A record over a CNAME record is that you can have one entry that uses a wildcard, such as *.contoso.com, which would handle requests for multiple sub-domains such as mail.contoso.com, login.contoso.com, or www.contso.com.

Note Since an A record is mapped to a static IP address, it cannot automatically resolve changes to the IP address of your Cloud Service. The IP address used by your Cloud Service is allocated the first time you deploy to an empty slot (either production or staging.) If you delete the deployment for the slot, the IP address is released by Azure and any future deployments to the slot may be given a new IP address.

Conveniently, the IP address of a given deployment slot (production or staging) is persisted when swapping between staging and production deployments or performing an in-place upgrade of an existing deployment. For more information on performing these actions, see How to manage cloud services.

DNS specifics (For Azure Web Apps)

Information for Azure Web Apps

Using an A record with Azure Web Apps requires you to first create a CNAME record with one of the following configurations:

  • For the root domain or wildcard sub-domains - A DNS name of awverify to awverify.<yourwebappname>.azurewebsites.net.
  • For a specific sub-domain - A DNS name of awverify.<sub-domain> to awverify.<yourwebappname>.azurewebsites.net. For example, awverify.blogs if the A record is for blogs.contoso.com.

This CNAME record is used to verify that you own the domain you are attempting to use. These is in addition to creating an A record pointing to the virtual IP address of your Azure web app. You can find the IP address, as well as the awverify name and .azurewebsites.net names for your Azure web app by performing the following steps:

  1. In your browser, open the Azure Portal.
  2. In the Web Apps tab, click the name of your web app, select Dashboard, and then select Custom domains and SSL on the Settings blade.

    web app settings custom domains and ssl
     

    Note
    You cannot use custom domain names with a Free Azure App Service plan, and must upgrade the plan to Shared, Basic, Standard, or Premium. For more information on the Azure Web Apps modes modes, including how to change the mode of your App Service Plan, see How to scale a web app in Azure App Service.
  3. In the MANAGE CUSTOM DOMAINS dialog, you will see the awverify information, the currently assigned .azurewebsites.net domain name, and the virtual IP address. Save this information, as it will be used when creating DNS records.
    managecustomdomains
     

Configure your Azure web app under a Basic, Shared, Standard, or Premium Azure App Service plan (For Azure Web Apps)

Information for Azure Web Apps

Setting a custom domain name on an Azure web app is only available for the Shared, Basic, Standard, and premium App Service plan.

Information for Azure Web Apps that use Traffic Manager

Setting a custom domain name on an Azure web app that is load balanced by Traffic Manager is only available for the Standard and Premium Azure App Service plan.

Before switching an Azure App Service plan from Free to Shared, Basic, Standard or Premium, you must first remove spending caps in place for your Azure subscription.

For more information on the Azure App Service plan, including how to change the the pricing tier, see How to scale a web app in Azure App Service.

Now you are familiar with the prerequisite knowledge, select what you want to do next:

Does your Azure web app use Traffic Manager?

When you use a Microsoft Azure Traffic Manager to load balance traffic to your Azure web app, that web app can then be accessed using the *.trafficmanager.net domain name assigned by Azure.

If you do not already have a Traffic Manager profile, create one by referring to the "Create Your ATM Profile" topic in article: Using Azure Traffic Manager with Azure Web Sites

Note the .trafficmanager.net domain name associated with your Traffic Manager profile, as this will be used later by later steps in this guide. 


Does your Azure web app use Traffic Manager?

Add a DNS record on GoDaddy for an Azure web app

To associate your custom domain with an Azure web app, you must add a new entry in the DNS table for your custom domain by using tools provided by GoDaddy. Use the following steps to locate the DNS tools for GoDaddy.com:

  1. Log on to your account with GoDaddy.com, and select My Account and then Manage my domain. Finally, select drop-down menu for the domain name that you wish to use with your Azure web app and select Manage DNS.
    godaddy-customdomain
     
  2. From the Domain details page, scroll to the DNS Zone File tab. This is the section used for adding and modifying DNS records for your domain name.
    godaddy-zonetab
     

    Select Add Record to add an existing record.
    To edit an existing record, select the pen & paper icon beside the record.

    Note Before adding new records, note that GoDaddy has already created DNS records for popular sub-domains (called Host in editor,) such as email, files, mail, and others. If the name you wish to use already exists, modify the existing record instead of creating a new one.

  3. When adding a record, you must first select the record type.
    godaddy-selectrecordtype
     

    Next, you must provide the Host (the custom domain or sub-domain) and what it Points to.
    godaddy-addzonerecord
     
    • When adding an A(host) record- you must set the Host field to either @ (this represents root domain name, such as contoso.com,) * (a wildcard for matching multiple sub-domains,) or the sub-domain you wish to use (for example, www.) You must set the Points to field to the IP address of your Azure web app.
      Note When using A (host) records, you must also add a CNAME record with the following configuration:
      • A Host value of awverify that Points to a value of awverify.<yourwebappname>.azurewebsites.net.

      This CNAME record is used by Azure to validate that you own the domain described by the A record.

    • When adding a CNAME(alias) record - you must set the Host field to the sub-domain you wish to use. For example, www. You must set the Points to field to the .azurewebsites.net domain name of your Azure web app. For example, contoso.azurwebsites.net.
  4. When you have finished adding or modifying records, click Finish to save changes.

Next let's enable the custom domain name on your Azure web app.

Enable the domain name on your Azure web app

After the records for your domain name have propagated, you must associate them with your Azure web app. Use the following steps to enable the domain names using your web browser.

NOTE It can take some time for CNAME records created in the previous steps to propagate through the DNS system. You cannot add the domain name to your Azure web app until the CNAME has propagated. If you are using an A record, you cannot add the A record domain name to your Azure web app until the awverify CNAME record created in the previous step has propagated.

You can use a service such as http://www.digwebinterface.com/ to verify that the CNAME is available.

  1. In your browser, open the Azure Portal.
  2. In the Web Apps tab, click the name of your Azure web app, and then select Custom domains and SSL on the Settings blade.
    web app settings custom domains and ssl

  3. In the Custom domains and SSL blade, click Bring external domains.
    web app settings bring external domains
     
  4. Under DOMAIN NAMES, enter the domain names to associate with your Azure web app, and then click Save.
    web app settings enter custom domain names
     

    Once configuration has completed, the custom domain name will be listed in the HOSTNAMES ASSIGNED TO SITE section of your Azure web app.

At this point, you should be able to enter the custom domain name in your browser and see that it successfully takes you to your Azure web app.

Note If you want to get started with Azure App Service before signing up for an Azure account, try App Service for free, where you can immediately create a short-lived starter Azure web app in App Service. No credit cards required; no commitments.

Is your custom domain name configured successfully for your Azure web app?

Add a DNS record on Network Solutions for an Azure web app

To associate your custom domain with an Azure web app, you must add a new entry in the DNS table for your custom domain by using tools provided by Network Solutions. Use the following steps to locate and use the DNS tools for networksolutions.com:

  1. Log on to your account at networksolutions.com, and select My Account in the upper right corner.
  2. From the My Products and Services tab, select Edit DNS.
    ns-editdns
     
  3. From the Manage section of the Domain Names page, select Edit Advanced DNS Records.
    ns-editadvanced
       
  4. The Update Advanced DNS page contains a section for each record type, with an Edit button below each section.
    • For A records, use the IP Address (A Records) section.
    • For CNAME records, use the Host Alias (CNAME Records) section.
      ns-updateadvanced
       
  5. When you click the Edit button, you will be presented with a form that you can use to modify existing records, or add new ones.
    Note Before adding new entries, note that Network Solutions has already created some default DNS records for things like the root domain ('@') and a wildcard record ('*') for subdomains. If the record you wish to use already exists, please modify it instead of creating a new one.
    • When adding a CNAME record, you must set the Alias field to the sub-domain you wish to use. For example, www. You must select the circle field beside the Other host field, and set Other host to the .azurewebsites.net domain name of your Azure web app. For example, contoso.azurwebsites.net. Leave the Refers to Host Name as Select, as this field is not required when creating a CNAME record for use with an Azure web app.
      ns-cname
       

      Note If you will be using an A record for the subdomain, you must also add a CNAME record with one of the following configurations:

      • An Alias value of www with an Other host value of <yourwebappname>.azurewebsites.net.
      • An Alias value of awverify.www with an Other host value of awverify.<yourwebappname>.azurewebsites.net.
      • This CNAME record is used by Azure to validate that you own the domain described by the A record.

    • When adding an A record, you must set the Host field to either @ (this represents root domain name, such as contoso.com,) * (a wildcard for matching multiple sub-domains,) or the sub-domain you wish to use (for example, www.) You must set the Numeric IP field to the IP address of your Azure web app.
      ns-arecord
           
  6. When you have finished adding or modifying records, click Continue to review the changes. Select Save changes only to save the changes.

Next let's enable the custom domain name on your Azure web app.

Enable the domain name on your Azure web app

After the records for your domain name have propagated, you must associate them with your Azure web app. Use the following steps to enable the domain names using your web browser.

NOTE It can take some time for CNAME records created in the previous steps to propagate through the DNS system. You cannot add the domain name to your Azure web app until the CNAME has propagated. If you are using an A record, you cannot add the A record domain name to your Azure web app until the awverify CNAME record created in the previous step has propagated.

You can use a service such as http://www.digwebinterface.com/ to verify that the CNAME is available.

  1. In your browser, open the Azure Portal.
  2. In the Web Apps tab, click the name of your Azure web app, and then select Custom domains and SSL on the Settings blade.
    web app settings custom domains and ssl

  3. In the Custom domains and SSL blade, click Bring external domains.
    web app settings bring external domains
     
  4. Under DOMAIN NAMES, enter the domain names to associate with your Azure web app, and then click Save.
    web app settings enter custom domain names
     

    Once configuration has completed, the custom domain name will be listed in the HOSTNAMES ASSIGNED TO SITE section of your Azure web app.

At this point, you should be able to enter the custom domain name in your browser and see that it successfully takes you to your Azure web app.

Note If you want to get started with Azure App Service before signing up for an Azure account, try App Service for free, where you can immediately create a short-lived starter Azure web app in App Service. No credit cards required; no commitments.

Is your custom domain name configured successfully for your Azure web app?

Add a DNS record on Register.com for an Azure web app

To associate your custom domain with an Azure web app, you must add a new entry in the DNS table for your custom domain by using tools provided by Register.com. Use the following steps to locate and use the DNS tools.

  1. Log on to your account at Register.com, and select Your Account in the upper right corner to view your domains, then select your custom domain name.
  2. rdotcom-myaccount
       
  3. Scroll down the page until you see the Advanced Technical Settings. The links in this section allow you to manage the records for your domain.
    • For A records, use the Edit IP Address Records link.
    • For CNAME records, use the Edit Domain Aliases Records link.
      rdotcom-advancedsettings
       
  4. When you click the Edit button, you will be presented with a form that you can use to modify existing records, or add new ones. The form is similar for both CNAME and A records.
    • When adding a CNAME record, you must set the .mydomainname.com field to the sub-domain you wish to use. For example, www. You must select the points to value to the .azurewebsites.net domain name of your Azure web app. For example, contoso.azurwebsites.net. Leave the Refers to Host Name as Select, as this field is not required when creating a CNAME record for use with an Azure web app.
      rdotcom-editcnamerecord
       
    • Note If you will be using an A record for the subdomain, you must also add a CNAME record with one of the following configurations:

      • An Alias value of www with an Other host value of <yourwebappname>.azurewebsites.net.
      • An Alias value of awverify.www with an Other host value of awverify.<yourwebappname>.azurewebsites.net.
      • This CNAME record is used by Azure to validate that you own the domain described by the A record.

    • When adding an A record, you must set the .mydomainname.com field the sub-domain you wish to use (for example, www.) Leave the field blank to set the root domain, or use and **** to create a wildcard mapping. You must set the points to field to the IP address of your Azure web app.
      rdotcom-editarecord
           
  5. When you have finished adding or modifying records, click Continue to review the changes. Select Continue again to save the changes.

Next let's enable the custom domain name on your Azure web app.

Enable the domain name on your Azure web app

After the records for your domain name have propagated, you must associate them with your Azure web app. Use the following steps to enable the domain names using your web browser.

NOTE It can take some time for CNAME records created in the previous steps to propagate through the DNS system. You cannot add the domain name to your Azure web app until the CNAME has propagated. If you are using an A record, you cannot add the A record domain name to your Azure web app until the awverify CNAME record created in the previous step has propagated.

You can use a service such as http://www.digwebinterface.com/ to verify that the CNAME is available.

  1. In your browser, open the Azure Portal.
  2. In the Web Apps tab, click the name of your Azure web app, and then select Custom domains and SSL on the Settings blade.
    web app settings custom domains and ssl

  3. In the Custom domains and SSL blade, click Bring external domains.
    web app settings bring external domains
     
  4. Under DOMAIN NAMES, enter the domain names to associate with your Azure web app, and then click Save.
    web app settings enter custom domain names
     

    Once configuration has completed, the custom domain name will be listed in the HOSTNAMES ASSIGNED TO SITE section of your Azure web app.

At this point, you should be able to enter the custom domain name in your browser and see that it successfully takes you to your Azure web app.

Note If you want to get started with Azure App Service before signing up for an Azure account, try App Service for free, where you can immediately create a short-lived starter Azure web app in App Service. No credit cards required; no commitments.

Is your custom domain name configured successfully for your Azure web app?

Add a DNS record on Enom for an Azure web app

To associate your custom domain with an Azure web app, you must add a new entry in the DNS table for your custom domain by using tools provided by eNom. Use the following steps to locate the DNS tools for enom.com.

  1. Log on to your account with eNom, and select Domains and then My Domains. This will display your domain names.
  2. From the My Domains page, use the Manage Domain field to select Host Records. This will display the host records fields.
    e-hostrecords
       
  3. The Host Records editor allows you to select the specific record type using the Record Type field. For Azure web apps, you should only use the CNAME (Alias) or A (Address) selection.
    e-editrecords
           

    Note Before adding entries to the zone file, note that eNom has already created DNS records for the root domain ('@') and a wildcard for sub-domains ('*'). If you wish to redirect the root domain to your Azure web app, or use a wildcard A record, you should modify these entries instead of creating new ones.

    • When adding a CNAME record, you must set the Host Name field to the sub-domain you wish to use. For example, www. You must set the Address field to the .azurewebsites.net domain name of your Azure web app. For example, contoso.azurwebsites.net.
    • Note If you will be using an A record for the subdomain, you must also add a CNAME record with one of the following configurations:

      • An Alias value of www with an Other host value of <yourwebappname>.azurewebsites.net.
      • An Alias value of awverify.www with an Other host value of awverify.<yourwebappname>.azurewebsites.net.
      • This CNAME record is used by Azure to validate that you own the domain described by the A record.

    • When adding an A record, you must set the Host Name field to either @ (this represents root domain name, such as contoso.com,) * (a wildcard for matching multiple sub-domains,) or the specific sub-domain you wish to use (for example, www.) You must set the Address field to the IP address of your Azure web app.

      Note When adding an A record, you must also add a CNAME record with a host of awverify, and a Points to of **awverify.<yourwebsitename>.azurewebsites.net.

  4. When you have finished adding or modifying records, click Save to save the changes.

Next let's enable the custom domain name on your Azure web app.

Enable the domain name on your Azure web app

After the records for your domain name have propagated, you must associate them with your Azure web app. Use the following steps to enable the domain names using your web browser.

NOTE It can take some time for CNAME records created in the previous steps to propagate through the DNS system. You cannot add the domain name to your Azure web app until the CNAME has propagated. If you are using an A record, you cannot add the A record domain name to your Azure web app until the awverify CNAME record created in the previous step has propagated.

You can use a service such as http://www.digwebinterface.com/ to verify that the CNAME is available.

  1. In your browser, open the Azure Portal.
  2. In the Web Apps tab, click the name of your Azure web app, and then select Custom domains and SSL on the Settings blade.
    web app settings custom domains and ssl

  3. In the Custom domains and SSL blade, click Bring external domains.
    web app settings bring external domains
     
  4. Under DOMAIN NAMES, enter the domain names to associate with your Azure web app, and then click Save.
    web app settings enter custom domain names
     

    Once configuration has completed, the custom domain name will be listed in the HOSTNAMES ASSIGNED TO SITE section of your Azure web app.

At this point, you should be able to enter the custom domain name in your browser and see that it successfully takes you to your Azure web app.

Note If you want to get started with Azure App Service before signing up for an Azure account, try App Service for free, where you can immediately create a short-lived starter Azure web app in App Service. No credit cards required; no commitments.

Is your custom domain name configured successfully for your Azure web app?

Add a DNS record on Moniker for an Azure web app

To associate your custom domain with an Azure web app, you must add a new entry in the DNS table for your custom domain by using tools provided by Moniker. Use the following steps to locate the DNS tools for Moniker.com.

  1. Log on to your account with Moniker.com, and select My Domains, and then click Manage Templates.
    moniker_mydomains
       
  2. On the Zone Template Management page, select Create New Template.
    moniker_zonemanager
       
  3. Fill in the Template Name.
  4. Then create a DNS record by first selecting the Record Type. Then fill in the Hostname and the Address.
    moniker_createzonetemplate
      
    • When adding a CNAME record, you must set the Hostname field to the sub-domain you wish to use. For example, www. You must set the Address field to the .azurewebsites.net domain name of your Azure web app. For example, contoso.azurwebsites.net.
    • When adding an A record, you must set the Hostname field to either @ (this represents root domain name, such as contoso.com,) or the sub-domain you wish to use (for example, www.) You must set the Address field to the IP address of your Azure web app.
    • Note If you will be using an A record for the subdomain, you must also add a CNAME record with one of the following configurations:

      • A Hostname value of www with an Address value of <yourwebappname>.azurewebsites.net.
      • A Hostname value of awverify.www with an Address value of awverify.<yourwebappname>.azurewebsites.net.

      This CNAME record is used by Azure to validate that you own the domain described by the A record.

  5. Click the Add button to add the entry.
  6. After all entries have been added, click the Save button.
  7. Select Domain Manager to go back to your list of Domains.
  8. Select the check-box of your target domain, and the click Manage Templates again.
  9. Locate the new template that you created in the previous steps. Then click the place selected domains (1) into this Template link.
    moniker_zoneassignment
     

Next let's enable the custom domain name on your Azure web app.

Enable the domain name on your Azure web app

After the records for your domain name have propagated, you must associate them with your Azure web app. Use the following steps to enable the domain names using your web browser.

NOTE It can take some time for CNAME records created in the previous steps to propagate through the DNS system. You cannot add the domain name to your Azure web app until the CNAME has propagated. If you are using an A record, you cannot add the A record domain name to your Azure web app until the awverify CNAME record created in the previous step has propagated.

You can use a service such as http://www.digwebinterface.com/ to verify that the CNAME is available.

  1. In your browser, open the Azure Portal.
  2. In the Web Apps tab, click the name of your Azure web app, and then select Custom domains and SSL on the Settings blade.
    web app settings custom domains and ssl

  3. In the Custom domains and SSL blade, click Bring external domains.
    web app settings bring external domains
     
  4. Under DOMAIN NAMES, enter the domain names to associate with your Azure web app, and then click Save.
    web app settings enter custom domain names
     

    Once configuration has completed, the custom domain name will be listed in the HOSTNAMES ASSIGNED TO SITE section of your Azure web app.

At this point, you should be able to enter the custom domain name in your browser and see that it successfully takes you to your Azure web app.

Note If you want to get started with Azure App Service before signing up for an Azure account, try App Service for free, where you can immediately create a short-lived starter Azure web app in App Service. No credit cards required; no commitments.

Is your custom domain name configured successfully for your Azure web app?

Add a DNS record on Dotster for an Azure web app

To associate your custom domain with an Azure web app, you must add a new entry in the DNS table for your custom domain by using tools provided by Dotster. Use the following steps to locate the DNS tools for Dotster.com.

  1. Log on to your account with Dotster.com. On the Domain menu, select DomainCentral.
    dotster_domaincentralmenu
           
  2. Select your domain to bring up a list of settings. Then select the Nameservers link.
    dotster_domainmenu
      
  3. Select the Use different name servers. In order to take advantage of the DNS services on Dotster, you must specify the following name servers: ns1.nameresolve.com, ns2.nameresolve.com, ns3.nameresolve.com, and ns4.nameresolve.com.
    dotster_nameservers
     

    Note It can take 24-48 hours for the name servers change to take affect. The remainder of steps in this article do not work until that time.

  4. In DomainCentral, select your domain, and then select DNS. In the Modify list, select the type of DNS record to add (CNAME Alias or A Record).
    dotster_dns
       
  5. Then specify the Host and Points To fields for the record. When complete click the Add button.
    dotster_dns_cname
     
    • When adding a CNAME record, you must set the Host field to the sub-domain you wish to use. For example, www. You must set the Points To field to the .azurewebsites.net domain name of your Azure web app. For example, contoso.azurwebsites.net.
    • When adding an A record, you must set the Host field to either @ (this represents root domain name, such as contoso.com,) or the sub-domain you wish to use (for example, www.) You must set the Points To field to the IP address of your Azure web app.
    • Note If you will be using an A record for the subdomain, you must also add a CNAME record with one of the following configurations:

      • A Host value of www that Points To a value of <yourwebappname>.azurewebsites.net.
      • A Host value of awverify.www that Points To a value of awverify.<yourwebappname>.azurewebsites.net.

      This CNAME record is used by Azure to validate that you own the domain described by the A record.


Next let's enable the custom domain name on your Azure web app.

Enable the domain name on your Azure web app

After the records for your domain name have propagated, you must associate them with your Azure web app. Use the following steps to enable the domain names using your web browser.

NOTE It can take some time for CNAME records created in the previous steps to propagate through the DNS system. You cannot add the domain name to your Azure web app until the CNAME has propagated. If you are using an A record, you cannot add the A record domain name to your Azure web app until the awverify CNAME record created in the previous step has propagated.

You can use a service such as http://www.digwebinterface.com/ to verify that the CNAME is available.

  1. In your browser, open the Azure Portal.
  2. In the Web Apps tab, click the name of your Azure web app, and then select Custom domains and SSL on the Settings blade.
    web app settings custom domains and ssl

  3. In the Custom domains and SSL blade, click Bring external domains.
    web app settings bring external domains
     
  4. Under DOMAIN NAMES, enter the domain names to associate with your Azure web app, and then click Save.
    web app settings enter custom domain names
     

    Once configuration has completed, the custom domain name will be listed in the HOSTNAMES ASSIGNED TO SITE section of your Azure web app.

At this point, you should be able to enter the custom domain name in your browser and see that it successfully takes you to your Azure web app.

Note If you want to get started with Azure App Service before signing up for an Azure account, try App Service try App Service for free, where you can immediately create a short-lived starter Azure web app in App Service. No credit cards required; no commitments.

Is your custom domain name configured successfully for your Azure web app?

Add a DNS record on DomainDiscover for an Azure web app

To associate your custom domain with an Azure web app, you must add a new entry in the DNS table for your custom domain by using tools provided by DomainDiscover. Use the following steps to locate the DNS tools for DomainDiscover.com

  1. Log on to your account with DomainDiscover.com (TierraNet) by selecting Control Panel from the Login menu.
    domaindiscover_loginmenu
     
  2. On the Domain Services page, select the domain that you want to use for your Azure website.
    domaindiscover_domainmanagement
     
  3. In the Domain settings, click the Edit button for DNS Service.
    domaindiscover_dnseditbutton
     
  4. In the Manage DNS window, select the type of DNS record to add in the Add Records list. Then click the Add button.
    domaindiscover_dnsaddrecords
     
  5. On the following page, enter the DNS record values. Then click the Add button.
    domaindiscover_dnsrecords
        
    • When adding a CNAME record, you must first select CNAME (Alias) on the Manage DNSpage. Then set the Host field to the sub-domain you wish to use. For example, www. You must set the Alias Hostname field to the .azurewebsites.net domain name of your Azure web app. For example, contoso.azurwebsites.net. Then provide a Time-to-Live (TTL) value, such as 1800 seconds.
    • When adding an A record, you must first select A on the Manage DNS page. Then set the Host field to either @ (this represents root domain name, such as contoso.com,) or the sub-domain you wish to use (for example, www.) You must set the IP Address field to the IP address of your Azure web app. Then provide a Time-to-Live (TTL) value such as 1800 seconds.

      Note If you will be using an A record for the subdomain, you must also add a CNAME record with one of the following configurations:

      • A Host value of www with an Alias Hostname value of <yourwebappname>.azurewebsites.net.
      • A Host value of awverify.www with an Alias Hostname value of awverify.<yourwebappname>.azurewebsites.net.

      This CNAME record is used by Azure to validate that you own the domain described by the A record.

  6. If you added an A record, you might get a warning that the existing A record for your domain is not inactive. It uses the most recently changed record, and DomainDirect already has a default A record for the root domain name. You can either rely on this precedence, or you can remove the default A record by selecting the DELETE button.

Next let's enable the custom domain name on your Azure web app.

Enable the domain name on your Azure web app

After the records for your domain name have propagated, you must associate them with your Azure web app. Use the following steps to enable the domain names using your web browser.

NOTE It can take some time for CNAME records created in the previous steps to propagate through the DNS system. You cannot add the domain name to your Azure web app until the CNAME has propagated. If you are using an A record, you cannot add the A record domain name to your Azure web app until the awverify CNAME record created in the previous step has propagated.

You can use a service such as http://www.digwebinterface.com/ to verify that the CNAME is available.

  1. In your browser, open the Azure Portal.
  2. In the Web Apps tab, click the name of your Azure web app, and then select Custom domains and SSL on the Settings blade.
    web app settings custom domains and ssl

  3. In the Custom domains and SSL blade, click Bring external domains.
    web app settings bring external domains
     
  4. Under DOMAIN NAMES, enter the domain names to associate with your Azure web app, and then click Save.
    web app settings enter custom domain names
     

    Once configuration has completed, the custom domain name will be listed in the HOSTNAMES ASSIGNED TO SITE section of your Azure web app.

At this point, you should be able to enter the custom domain name in your browser and see that it successfully takes you to your Azure web app.

Note If you want to get started with Azure App Service before signing up for an Azure account, try App Service for free, where you can immediately create a short-lived starter Azure web app in App Service. No credit cards required; no commitments.

Is your custom domain name configured successfully for your Azure web app?

Add a DNS record on Directnic for an Azure web app

To associate your custom domain with an Azure web app, you must add a new entry in the DNS table for your custom domain by using tools provided by Directnic. Use the following steps to locate the DNS tools for Directnic.com.

  1. Log on to your account with Directnic.com, and select My Services and then Domains.
    directnic_domainmenu
     
  2. Click the domain name that you wish to use with your Azure web app.
  3. On the management page for your domain, click the Manage button for DNS in the Services pane.
    directnic_domainmanagement
     
  4. Add DNS records by filling in the Type, Name, and Data fields. When complete, click the Add Record button.
    directnic_dns
       
    • When adding a CNAME record, you must set the Name field to the sub-domain you wish to use. For example, www. You must set the Data field to the .azurewebsites.net domain name of your Azure web app. For example, contoso.azurwebsites.net.
    • When adding an A record, you must set the Name field to either @ (this represents root domain name, such as contoso.com,) or the sub-domain you wish to use (for example, www). You must set the Data field to the IP address of your Azure web app.


      Note If you will be using an A record for the subdomain, you must also add a CNAME record with one of the following configurations:
      • A Name value of www with a Data value of <yourwebappname>.azurewebsites.net.
      • A Name value of awverify.www with a Data value of awverify.<yourwebappname>.azurewebsites.net.

      This CNAME record is used by Azure to validate that you own the domain described by the A record.

Next let's enable the custom domain name on your Azure web app.

Enable the domain name on your web app

After the records for your domain name have propagated, you must associate them with your Azure web app. Use the following steps to enable the domain names using your web browser.

NOTE It can take some time for CNAME records created in the previous steps to propagate through the DNS system. You cannot add the domain name to your Azure web app until the CNAME has propagated. If you are using an A record, you cannot add the A record domain name to your Azure web app until the awverify CNAME record created in the previous step has propagated.

You can use a service such as http://www.digwebinterface.com/ to verify that the CNAME is available.

  1. In your browser, open the Azure Portal.
  2. In the Web Apps tab, click the name of your Azure web app, and then select Custom domains and SSL on the Settings blade.
    web app settings custom domains and ssl

  3. In the Custom domains and SSL blade, click Bring external domains.
    web app settings bring external domains
     
  4. Under DOMAIN NAMES, enter the domain names to associate with your Azure web app, and then click Save.
    web app settings enter custom domain names
     

    Once configuration has completed, the custom domain name will be listed in the HOSTNAMES ASSIGNED TO SITE section of your Azure web app.

At this point, you should be able to enter the custom domain name in your browser and see that it successfully takes you to your Azure web app.

Note If you want to get started with Azure App Service before signing up for an Azure account, try App Service for free, where you can immediately create a short-lived starter Azure web app in App Service. No credit cards required; no commitments.

Is your custom domain name configured successfully for your Azure web app?

Add a DNS record on GoDaddy for an Azure web app that uses Traffic Manager

To associate your custom domain with an Azure web app, you must add a new entry in the DNS table for your custom domain by using tools provided by GoDaddy. Use the following steps to locate the DNS tools for GoDaddy.com

  1. Log on to your account with GoDaddy.com, and select My Account and then Manage your domains. Finally, select the domain name that you wish to use with your Azure web app.
    godaddy-customdomain
     
  2. From the Domain details page, select the DNS Zone File tab. This is the section used for adding and modifying DNS records for your domain name. Select the Edit button to display the Zone File Editor.
    godaddy-zonetab
     
  3. The Zone File Editor is broken out into sections for each record type, starting with A records (listed as A (Host) as the very first section, followed by CNAME records (listed as CNAME (Alias).) To add a new entry, use the Quick Add button below the corresponding section. To edit an existing entry, select that entry and modify the existing information.
    godaddy-quickaddcname
         

    Note Before adding entries to the zone file, note that GoDaddy has already created DNS records for popular sub-domains (called Host in editor,) such as email, files, mail, and others. If the name you wish to use already exists, modify the existing record instead of creating a new one.

    When adding a CNAME record, you must set the host field to the sub-domain you wish to use. For example, www. You must set the Points to field to the .trafficmanager.net domain name of the Traffic Manager profile used with your Azure web app. For example, contoso.trafficmanager.net.

    Note You must only use CNAME records when associating your custom domain name with an Azure web app that is load balanced using Traffic Manager.

  4. When you have finished adding or modifying records, click Save Zone File to save changes.

Next let’s enable the Azure web app that uses Traffic Manager.

Enable the domain name on your Azure web app

After the records for your domain name have propagated, you should be able to use your browser to verify that your custom domain name can be used to access your Azure web app.

Note It can take some time for your CNAME to propagate through the DNS system. You can use a service such as http://www.digwebinterface.com/ to verify that the CNAME is available.

If you have not already added your Azure web app as a Traffic Manager endpoint, you must do this before name resolution will work, as the custom domain name routes to Traffic Manager. Traffic Manager then routes to your Azure web app. Use the information in Add, disable, enable or delete endpoints to add your Azure web app as an endpoint in your Traffic Manager profile.

Note If your Azure web app is not listed when adding an endpoint, verify that the Azure App Service plan is configured for Standard or Premium. You must use Standard or Premium for your Azure App Service plan in order to work with Traffic Manager.


Is your custom domain name configured successfully for your Azure web app that uses Traffic Manager?

Add a DNS record on Network Solution for an Azure web app that uses Traffic Manager

To associate your custom domain with an Azure web app, you must add a new entry in the DNS table for your custom domain by using tools provided by Network Solutions. Use the following steps to locate and use the DNS tools.

  1. Log on to your account at networksolutions.com, and select My Account in the upper right corner.
  2. From the My Products and Services tab, select Edit DNS.
    ns-editdns
     
  3. From the Manage section of the Domain Names page, select Edit Advanced DNS Records.
    ns-editadvanced
     
  4. The Update Advanced DNS page contains a section for each record type, with an Edit button below each section. For CNAME records, use the Host Alias (CNAME Records) section.
    ns-updatecnameadvanced
     
  5. When you click the Edit button, you will be presented with a form that you can use to modify existing records, or add new ones.
    When adding a CNAME record, you must set the Alias field to the sub-domain you wish to use. For example, www. You must select the circle field beside the Other host field, and set Other host to the .trafficmanager.net domain name of the Traffic Manager profile used with your Azure web app. For example, contoso.trafficmanager.net. Leave the Refers to Host Name as Select, as this field is not required when creating a CNAME record for use with an Azure web app.
    ns-cnametm
     
  6. When you have finished adding or modifying records, click Continue to review the changes. Select Save changes only to save the changes.

Next let’s enable the Azure web app that uses Traffic Manager.

Enable the Azure web app that uses Traffic Manager

After the records for your domain name have propagated, you should be able to use your browser to verify that your custom domain name can be used to access your Azure web app.

Note It can take some time for your CNAME to propagate through the DNS system. You can use a service such as http://www.digwebinterface.com/ to verify that the CNAME is available.

If you have not already added your Azure web app as a Traffic Manager endpoint, you must do this before name resolution will work, as the custom domain name routes to Traffic Manager. Traffic Manager then routes to your Azure web app. Use the information in Add, disable, enable or delete endpoints to add your Azure web app as an endpoint in your Traffic Manager profile.

Note If your Azure web app is not listed when adding an endpoint, verify that the Azure App Serivce plan is configured for Standard or Premium. You must use Standard or Premium for your Azure App Serivce plan in order to work with Traffic Manager.


Is your custom domain name configured successfully for your Azure web app that uses Traffic Manager?

Add a DNS record on Register.com for an Azure web app that uses Traffic Manager

To associate your custom domain with an Azure web app, you must add a new entry in the DNS table for your custom domain by using tools provided by Register.com. Use the following steps to locate and use the DNS tools.

  1. Log on to your account at register.com and select Your Account in the upper right corner to view your domains, then select your custom domain name.
    rdotcom-myaccount
     
  2. Scroll down the page until you see the Advanced Technical Settings. The links in this section allow you to manage the records for your domain. For CNAME records, use the Edit Domain Aliases Records link.
    rdotcom-advancedsettingstm
     
  3. When you click the Edit button, you will be presented with a form that you can use to modify existing records, or add new ones. The form is similar for both CNAME and A records.
    • When adding a CNAME record, you must set the .mydomainname.com field to the sub-domain you wish to use. For example, www. You must select the points to value to the .trafficmanager.net domain name of the Traffic Manager profile you are using with your Azure web app. For example, contoso.trafficmanager.net. Leave the Refers to Host Name as Select, as this field is not required when creating a CNAME record for use with an Azure web app.
      rdotcom-editcnamerecord
       
  4. When you have finished adding or modifying records, click Continue to review the changes. Select Continue again to save the changes.

Next let’s enable the Azure web app that uses Traffic Manager.

Enable the Azure web app that uses Traffic Manager

After the records for your domain name have propagated, you should be able to use your browser to verify that your custom domain name can be used to access your Azure web app.

Note It can take some time for your CNAME to propagate through the DNS system. You can use a service such as http://www.digwebinterface.com/ to verify that the CNAME is available.

If you have not already added your Azure web app as a Traffic Manager endpoint, you must do this before name resolution will work, as the custom domain name routes to Traffic Manager. Traffic Manager then routes to your Azure web app. Use the information in Add, disable, enable or delete endpoints to add your Azure web app as an endpoint in your Traffic Manager profile.

Note If your Azure web app is not listed when adding an endpoint, verify that the Azure App Serivce plan is configured for Standard or Premium. You must use Standard or Premium for your Azure App Serivce plan in order to work with Traffic Manager.


Is your custom domain name configured successfully for your Azure web app that uses Traffic Manager?

Add a DNS record on Enom for an Azure web app that uses Traffic Manager

To associate your custom domain with an Azure web app, you must add a new entry in the DNS table for your custom domain by using tools provided by eNom. Use the following steps to locate the DNS tools for enom.com.

  1. Log on to your account with eNom, and select Domains and then My Domains. This will display your domain names.
  2. From the My Domains page, use the Manage Domain field to select Host Records. This will display the host records fields.
    e-hostrecords
        
  3. The Host Records editor allows you to select the specific record type using the Record Type field. For Azure web apps that use Traffic Manager, you should only use the CNAME (Alias) selection, as Traffic Manager only works with CNAME records.
    e-editrecordstm
         

    When adding a CNAME record, you must set the Host Name field to the sub-domain you wish to use. For example, www. You must set the Address field to the .trafficmanager.net domain name of the Traffic Manager profile used with your Azure web app. For example, contoso.trafficmanager.net.

  4. When you have finished adding or modifying records, click Save to save the changes.

Next let’s enable the Azure web app that uses Traffic Manager.

Enable the Azure web app that uses Traffic Manager

After the records for your domain name have propagated, you should be able to use your browser to verify that your custom domain name can be used to access your Azure web app.

Note It can take some time for your CNAME to propagate through the DNS system. You can use a service such as http://www.digwebinterface.com/ to verify that the CNAME is available.

If you have not already added your Azure web app as a Traffic Manager endpoint, you must do this before name resolution will work, as the custom domain name routes to Traffic Manager. Traffic Manager then routes to your Azure web app. Use the information in Add, disable, enable or delete endpoints to add your Azure web app as an endpoint in your Traffic Manager profile.

Note If your Azure web app is not listed when adding an endpoint, verify that the Azure App Serivce plan is configured for Standard or Premium. You must use Standard or Premium for your Azure App Serivce plan in order to work with Traffic Manager.


Is your custom domain name configured successfully for your Azure web app that uses Traffic Manager?

Add a DNS record on Moniker for an Azure web app that uses Traffic Manager

To associate your custom domain with an Azure web app, you must add a new entry in the DNS table for your custom domain by using tools provided by Moniker. Use the following steps to locate the DNS tools for Moniker.com.

  1. Log on to your account with Moniker.com, and select My Domains, and then click Manage Templates.
    moniker_mydomains
     
  2. On the Zone Template Management page, select Create New Template.
    moniker_zonemanager
     
  3. Fill in the Template Name.
  4. Then create a DNS record by first selecting the Record Type. Then fill in the Hostname and the Address.
    moniker_createzonetemplate_tm
        
    • When adding a CNAME record, you must set the Hostname field to the sub-domain you wish to use. For example, www. You must set the Address field to the .trafficmanager.net domain name of the Traffic Manager profile you are using with your Azure web app. For example, contoso.trafficmanager.net.
    • Note You must only use CNAME records when associating your custom domain name with an Azure web app that is load balanced using Traffic Manager.

  5. Click the Add button to add the entry.
  6. After all entries have been added, click the Save button.
  7. Select Domain Manager to go back to your list of Domains.
  8. Select the check-box of your target domain, and the click Manage Templates again.
  9. Locate the new template that you created in the previous steps. Then click the place selected domains (1) into this Template link.
    moniker_zoneassignment
        

Next let’s enable the Azure web app that uses Traffic Manager.

Enable the Azure web app that uses Traffic Manager

After the records for your domain name have propagated, you should be able to use your browser to verify that your custom domain name can be used to access your Azure web app.

Note It can take some time for your CNAME to propagate through the DNS system. You can use a service such as http://www.digwebinterface.com/ to verify that the CNAME is available.

If you have not already added your Azure web app as a Traffic Manager endpoint, you must do this before name resolution will work, as the custom domain name routes to Traffic Manager. Traffic Manager then routes to your Azure web app. Use the information in Add, disable, enable or delete endpoints to add your Azure web app as an endpoint in your Traffic Manager profile.

Note If your Azure web app is not listed when adding an endpoint, verify that the Azure App Serivce plan is configured for Standard or Premium. You must use Standard or Premium for your Azure App Serivce plan in order to work with Traffic Manager.


Is your custom domain name configured successfully for your Azure web app that uses Traffic Manager?

Add a DNS record on Dotster for an Azure web app that uses Traffic Manager

To associate your custom domain with an Azure web app, you must add a new entry in the DNS table for your custom domain by using tools provided by Dotster. Use the following steps to locate the DNS tools for Dotster.com.

  1. Log on to your account with Dotster.com. On the Domain menu, select DomainCentral.
    dotster_domaincentralmenu
     
  2. Select your domain to bring up a list of settings. Then select the Nameservers link.
    dotster_domainmenu
     
  3. Select the Use different name servers. In order to take advantage of the DNS services on Dotster, you must specify the following name servers: ns1.nameresolve.com, ns2.nameresolve.com, ns3.nameresolve.com, and ns4.nameresolve.com.
    dotster_nameservers
     
    Note It can take 24-48 hours for the name servers change to take affect. The remainder of steps in this article do not work until that time.
  4. In DomainCentral, select your domain, and then select DNS. In the Modify list, select the type of DNS record to add (CNAME Alias or A Record).
    dotster_dns
     
  5. Then specify the Host and Points To fields for the record. When complete click the Add button.
    dotster_dns_cname_tm
     
    • When adding a CNAME record, you must set the Host field to the sub-domain you wish to use. For example, www. You must set the Points To field to the .trafficmanager.net domain name of the Traffic Manager profile you are using with your Azure web app. For example, contoso.trafficmanager.net.
    • Note You must only use CNAME records when associating your custom domain name with an Azure web app that is load balanced using Traffic Manager.

Next let’s enable the Azure web app that uses Traffic Manager.

Enable the Azure web app that uses Traffic Manager

After the records for your domain name have propagated, you should be able to use your browser to verify that your custom domain name can be used to access your Azure web app.

Note It can take some time for your CNAME to propagate through the DNS system. You can use a service such as http://www.digwebinterface.com/ to verify that the CNAME is available.

If you have not already added your Azure web app as a Traffic Manager endpoint, you must do this before name resolution will work, as the custom domain name routes to Traffic Manager. Traffic Manager then routes to your Azure web app. Use the information in Add, disable, enable or delete endpoints to add your Azure web app as an endpoint in your Traffic Manager profile.

Note If your Azure web app is not listed when adding an endpoint, verify that the Azure App Serivce plan is configured for Standard or Premium. You must use Standard or Premium for your Azure App Serivce plan in order to work with Traffic Manager.


Is your custom domain name configured successfully for your Azure web app that uses Traffic Manager?

Add a DNS record on DomainDiscover for an Azure web app that uses Traffic Manager

To associate your custom domain with an Azure web app, you must add a new entry in the DNS table for your custom domain by using tools provided by DomainDiscover. Use the following steps to locate the DNS tools for DomainDiscover.com.

  1. Log on to your account with DomainDiscover.com (TierraNet) by selecting Control Panel from the Login menu.
    domaindiscover_loginmenu
     
  2. On the Domain Services page, select the domain that you want to use for your Azure web app.
    domaindiscover_domainmanagement
     
  3. In the Domain settings, click the Edit button for DNS Service.
    domaindiscover_dnseditbutton
     
  4. In the Manage DNS window, select the type of DNS record to add in the Add Records list. Then click the Add button.
    domaindiscover_dnsaddrecords
     
  5. On the following page, enter the DNS record values. Then click the Add button.
    domaindiscover_dnsrecords
     
    • When adding a CNAME record, you must first select CNAME (Alias) on the Manage DNS page. Then set the Host field to the sub-domain you wish to use. For example, www. You must set the Alias Hostname field to the .trafficmanager.net domain name of the Traffic Manager profile you are using with your Azure web app. For example, contoso.trafficmanager.net. Then provide a Time-to-Live (TTL) value, such as 1800 seconds.
    • Note You must only use CNAME records when associating your custom domain name with an Azure web app that is load balanced using Traffic Manager.

Next let’s enable the Azure web app that uses Traffic Manager.

Enable the Azure web app that uses Traffic Manager

After the records for your domain name have propagated, you should be able to use your browser to verify that your custom domain name can be used to access your Azure web app.

Note It can take some time for your CNAME to propagate through the DNS system. You can use a service such as http://www.digwebinterface.com/ to verify that the CNAME is available.

If you have not already added your Azure web app as a Traffic Manager endpoint, you must do this before name resolution will work, as the custom domain name routes to Traffic Manager. Traffic Manager then routes to your Azure web app. Use the information in Add, disable, enable or delete endpoints to add your Azure web app as an endpoint in your Traffic Manager profile.

Note If your Azure web app is not listed when adding an endpoint, verify that the Azure App Serivce plan is configured for Standard or Premium. You must use Standard or Premium for your Azure App Serivce plan in order to work with Traffic Manager.


Is your custom domain name configured successfully for your Azure web app that uses Traffic Manager?

Add a DNS record on Diretnic for an Azure web app that uses Traffic Manager

To associate your custom domain with an Azure web app, you must add a new entry in the DNS table for your custom domain by using tools provided by Directnic. Use the following steps to locate the DNS tools for Directnic.com.

  1. Log on to your account with Directnic.com, and select My Services and then Domains.
    directnic_domainmenu
     
  2. Click the domain name that you wish to use with your Azure web app.
  3. On the management page for your domain, click the Manage button for DNS in the Services pane.
    directnic_domainmanagement
     
  4. Add DNS records by filling in the Type, Name, and Data fields. When complete, click the Add Record button.
    directnic_dns_tm
     
    • When adding a CNAME record, you must set the Name field to the sub-domain you wish to use. For example, www. You must set the Data field to the .trafficmanager.net domain name of the Traffic Manager profile you are using with your Azure web app. For example, contoso.trafficmanager.net.

      Note You must only use CNAME records when associating your custom domain name with an Azure web app that is load balanced using Traffic Manager.

Next let’s enable the Azure web app that uses Traffic Manager.

Enable the Azure web app that uses Traffic Manager

After the records for your domain name have propagated, you should be able to use your browser to verify that your custom domain name can be used to access your Azure web app.

Note It can take some time for your CNAME to propagate through the DNS system. You can use a service such as http://www.digwebinterface.com/ to verify that the CNAME is available.

If you have not already added your Azure web app as a Traffic Manager endpoint, you must do this before name resolution will work, as the custom domain name routes to Traffic Manager. Traffic Manager then routes to your Azure web app. Use the information in Add, disable, enable or delete endpoints to add your Azure web app as an endpoint in your Traffic Manager profile.

Note If your Azure web app is not listed when adding an endpoint, verify that the Azure App Serivce plan is configured for Standard or Premium. You must use Standard or Premium for your Azure App Serivce plan in order to work with Traffic Manager.


Is your custom domain name configured successfully for your Azure web app that uses Traffic Manager?

Add a DNS record for an Azure web app (registrar not listed)

To associate your custom domain with an Azure web app, you must add a new entry in the DNS table for your custom domain by using tools provided by the domain registrar that you purchased your domain name from. Use the following steps to locate and use the DNS tools.

  1. Log on to your account at your domain registrar, and look for a page for managing DNS records. Look for links or areas of the site labeled as Domain Name, DNS, or Name Server Management. Often a link to this page can be found be viewing your account information, and then looking for a link such as My domains.
  2. Once you have found the management page for your domain name, look for a link that allows you to edit the DNS records. This might be listed as a Zone file, DNS Records, or as an Advanced configuration link.
    • The page will most likely have a few records already created, such as an entry associating '@' or '*' with a 'domain parking' page. It may also contain records for common sub-domains such as www.
    • The page will mention A records and CNAME records, or provide a drop-down to select a record type. It may also mention other records such as MX records. In some cases, these will be called by other names such as IP Address records instead of A records, or Alias Records instead of CNAME records.
    • The page will also have fields that allow you to map from a Host name or Domain name to an IP Address or other domain name.
  3. While the specifics of each registrar vary, in general you map from your custom domain name (such as contoso.com,) to the Azure web app domain name (contoso.azurewebsites.net) or the Azure web app virtual IP address.
    • CNAME records will always map to the Azure web app domain - contoso.azurewebsites.net. So you will be mapping from a domain such as www to your <yourwebappname>.azurewebsites.net address.

      Note If you will be using an A record, you must also add a CNAME record that maps from awverify to awverify.<yourwebappname>.azurewebsites.net.

      This CNAME record is used by Azure to validate that you own the domain described by the A record.

      • To map the root domain, or create a wildcard mapping for sub-domains immediately off the root, map from awverify to awverify.<yourwebappname>.azurewebsites.net.
      • To map a specific sub-domain, map from awverify.<subdomainname> to awverify.<yourwebappname>.azurewebsites.net. For example, the verification CNAME record for the mail.contoso.com sub-domain would map from awverify.mail to awverify.<yourwebappname>.azurewebsites.net.
    • A records will always map to the Azure web app virtual IP address. So you are mapping from a domain such as www to the Azure web app's virtual IP address.

      Note To map a root domain (such as contoso.com,) to an Azure web app, you will often map from '@', or a blank entry to the virtual IP address. To create a wildcard mapping that maps all sub-domains to the virtual IP address, you will usually map from '*' to the virtual IP address.

      The specifics of mapping a root or wildcard vary between registrars. Consult the documentation provided by your registrar for more specific guidance.

  4. Once you have finished adding or modifying DNS records at your registrar, save the changes.

Next let’s enable the custom domain name on your Azure web app.

Enable the domain name on your Azure web app

After the records for your domain name have propagated, you must associate them with your Azure web app. Use the following steps to enable the domain names using your web browser.

NOTE It can take some time for CNAME records created in the previous steps to propagate through the DNS system. You cannot add the domain name to your Azure web app until the CNAME has propagated. If you are using an A record, you cannot add the A record domain name to your Azure web app until the awverify CNAME record created in the previous step has propagated.

You can use a service such as http://www.digwebinterface.com/ to verify that the CNAME is available.

  1. In your browser, open the Azure Portal.
  2. In the Web Apps tab, click the name of your Azure web app, and then select Custom domains and SSL on the Settings blade.
    web app settings custom domains and ssl

  3. In the Custom domains and SSL blade, click Bring external domains.
    web app settings bring external domains
     
  4. Under DOMAIN NAMES, enter the domain names to associate with your Azure web app, and then click Save.
    web app settings enter custom domain names
     

    Once configuration has completed, the custom domain name will be listed in the HOSTNAMES ASSIGNED TO SITE section of your Azure web app.

At this point, you should be able to enter the custom domain name in your browser and see that it successfully takes you to your Azure web app.

Note If you want to get started with Azure App Service before signing up for an Azure account, try App Service for free, where you can immediately create a short-lived starter Azure web app in App Service. No credit cards required; no commitments. 

Is your custom domain name configured successfully for your Azure web app?

Add a DNS record for an Azure web app that uses Traffic Manager (registrar not listed)

To associate your custom domain with an Azure web app, you must add a new entry in the DNS table for your custom domain by using tools provided by the domain registrar that you purchased your domain name from. Use the following steps to locate and use the DNS tools.

  1. Log on to your account at your domain registrar, and look for a page for managing DNS records. Look for links or areas of the site labeled as Domain Name, DNS, or Name Server Management. Often a link to this page can be found be viewing your account information, and then looking for a link such as My domains.
  2. Once you have found the management page for your domain name, look for a link that allows you to edit the DNS records. This might be listed as a Zone file, DNS Records, or as an Advanced configuration link.
    • The page will most likely have a few records already created, such as an entry associating '@' or '*' with a 'domain parking' page. It may also contain records for common sub-domains such as www.
    • The page will mention CNAME records, or provide a drop-down to select a record type. It may also mention other records such as A records and MX records. In some cases, CNAME records will be called by other names such as an Alias Record.
    • The page will also have fields that allow you to map from a Host name or Domain name to another domain name.
  3. While the specifics of each registrar vary, in general you map from your custom domain name (such as contoso.com,) to the Traffic Manager domain name (contoso.trafficmanager.net) that is used for your Azure web app.
  4. Once you have finished adding or modifying DNS records at your registrar, save the changes.

Next let’s enable the Azure web app that uses Traffic Manager.

Enable the Azure web app that uses Traffic Manager

After the records for your domain name have propagated, you should be able to use your browser to verify that your custom domain name can be used to access your Azure web app.

Note It can take some time for your CNAME to propagate through the DNS system. You can use a service such as http://www.digwebinterface.com/ to verify that the CNAME is available.

If you have not already added your Azure web app as a Traffic Manager endpoint, you must do this before name resolution will work, as the custom domain name routes to Traffic Manager. Traffic Manager then routes to your Azure web app. Use the information in Add, disable, enable or delete endpoints to add your Azure web app as an endpoint in your Traffic Manager profile.

Note If your Azure web app is not listed when adding an endpoint, verify that the Azure App Serivce plan is configured for Standard or Premium. You must use Standard or Premium for your Azure App Serivce plan in order to work with Traffic Manager.


Is your custom domain name configured successfully for your Azure web app that uses Traffic Manager?

Associate a custom domain name with an Azure Cloud Service

When you create an application in Azure, Azure provides a subdomain on the cloudapp.net domain so your users can access your application on a URL like http://<myapp>.cloudapp.net. However, you can also expose your application on your own domain name, such as contoso.com.

Add a CNAME record for your custom domain

To create a CNAME record, you must add a new entry in the DNS table for your custom domain by using the tools provided by your registrar. Each registrar has a similar but slightly different method of specifying a CNAME record, but the concepts are the same.

  1. Use one of these methods to find the .cloudapp.net domain name assigned to your cloud service.
    • Login to the Azure Management Portal, select your cloud service, select Dashboard, and then find the Site URL entry in the quick glance section.
      csurl
       
    • Install and configure Azure Powershell, and then use the following command:
      Get-AzureDeployment -ServiceName yourservicename | Select Url
  2. Save the domain name used in the URL returned by either method, as you will need it when creating a CNAME record.
  3. Log on to your DNS registrar's website and go to the page for managing DNS. Look for links or areas of the site labeled as Domain Name, DNS, or Name Server Management.
  4. Now find where you can select or enter CNAME's. You may have to select the record type from a drop down, or go to an advanced settings page. You should look for the words CNAME, Alias, or Subdomains.
  5. You must also provide the domain or subdomain alias for the CNAME, such as www if you want to create an alias for www.customdomain.com. If you want to create an alias for the root domain, it may be listed as the '@' symbol in your registrar's DNS tools.
  6. Then, you must provide a canonical host name, which is your application's cloudapp.net domain in this case.

For example, the following CNAME record forwards all traffic from www.contoso.com to contoso.cloudapp.net, the custom domain name of your deployed application:

Alias/Host name/Subdomain Canonical domain
 www contoso.cloudapp.net

A visitor of www.contoso.com will never see the true host (contoso.cloudapp.net), so the forwarding process is invisible to the end user.

Note The example above only applies to traffic at the www subdomain. Since you cannot use wildcards with CNAME records, you must create one CNAME for each domain/subdomain. If you want to direct traffic from subdomains, such as *.contoso.com, to your cloudapp.net address, you can configure a URL Redirect or URL Forward entry in your DNS settings, or create an A record.

Add an A record for your custom domain

To create an A record, you must first find the virtual IP address of your cloud service. Then add a new entry in the DNS table for your custom domain by using the tools provided by your registrar. Each registrar has a similar but slightly different method of specifying an A record, but the concepts are the same.

  1. Use one of the following methods to get the IP address of your cloud service.
    • Login to the Azure Management Portal, select your cloud service, select Dashboard, and then find the Public Virtual IP (VIP) address entry in the quick glance section.
      csvip
       
    • Install and configure Azure Powershell, and then use the following command:
      get-azurevm -servicename yourservicename | get-azureendpoint> -VM {$_.VM} | select Vip

      If you have multiple endpoints associated with your cloud service, you will receive multiple lines containing the IP address, but all should display the same address.

  2. Save the IP address, as you will need it when creating an A record.
  3. Log on to your DNS registrar's website and go to the page for managing DNS. Look for links or areas of the site labeled as Domain Name, DNS, or Name Server Management.
  4. Now find where you can select or enter A record's. You may have to select the record type from a drop down, or go to an advanced settings page.
  5. Select or enter the domain or subdomain that will use this A record. For example, select www if you want to create an alias for www.customdomain.com. If you want to create a wildcard entry for all subdomains, enter '*'. This will cover all sub-domains such as mail.customdomain.com, login.customdomain.com, and www.customdomain.com.If you want to create an A record for the root domain, it may be listed as the '@' symbol in your registrar's DNS tools.
  6. Enter the IP address of your cloud service in the provided field. This associates the domain entry used in the A record with the IP address of your cloud service deployment.

For example, the following A record forwards all traffic from contoso.com to 137.135.70.239, the IP address of your deployed application:

Host name/Subdomain IP address
 @ 137.135.70.239

This example demonstrates creating an A record for the root domain. If you wish to create a wildcard entry to cover all subdomains, you would enter '*' as the subdomain.

References

Were you able to successfully associate your custom domain name with the Azure Cloud Service?

Secure communication (SSL) with an Azure web app

When someone visits your Azure web app using HTTPS, the communication between the Azure web app and the browser is secured using Secure Socket Layer (SSL) encryption. This is the most commonly used method of securing data sent across the internet, and assures visitors that their transactions with your Azure web app are secure.

Here is a video that talks about how SSL works in Azure Web Apps.

Asset not found


What type of domain name do you use?

HTTPS for an *.azurewebsites.net domain

If you are not planning on using a custom domain name, but are instead planning on using the *.azurewebsites.net domain assigned to your Azure web app (for example, contoso.azurewebsites.net,) then your Azure web app is already secured by a certificate provided by Microsoft. You can use https://mywebapp.azurewebsites.net to access your Azure web app securely. However, *.azurewebsites.net is a shared domain, and like all shared domains is not as secure as using a custom domain with your own certificate.


Can you visit your Azure web app using HTTPS?

Enable HTTPS for a custom domain name

To enable HTTPS for a custom domain name, such as contoso.com, you must register a custom domain name with a domain name registrar. Once you have registered a custom domain name and configured your Azure web app to respond to the custom name, you must request an SSL certificate for the domain.

Registering a domain name also enables you to create subdomains such as www.contoso.com or mail.contoso.com. Before requesting an SSL certificate you must first determine which domain names will be secured by the certificate. This will determine what type of certificate you must obtain. If you just need to secure a single domain name such as contoso.com or www.contoso.com a basic certificate will probably be sufficient. If you need to secure multiple domain names, such as contoso.com, www.contoso.com, and mail.contoso.com, then a wildcard certificate, or a certificate with Subject Alternate Name (subjectAltName, SAN) will be required.

Note Most browsers will display a warning if the domain name specified in the certificate does not match the domain name that was entered in the browser. For example, if the certificate only lists www.contoso.com, but login.contoso.com is the domain name used to access the site in Internet Explorer, you will receive a warning that "The security certificate presented by this website was issued for a different website's address."

Understand different types of certificate

  • Basic certificates are certificates where the Common Name (CN) of the certificate is set to the specific domain or subdomain that clients will use to visit the site. For example, www.contoso.com. These certificates only secure the single domain name specified by the CN.
  • Wildcard certificates are certificates where the CN of the certificate contains a wildcard '*' at the subdomain level. This allows the certificate to match a single level of subdomains for a given domain. For example, a wildcard certificate for *.contoso.com would be valid for www.contoso.com, payment.contoso.com, and login.contoso.com. It would not be valid for test.login.contoso.com, as this adds an extra subdomain level. It would also not be valid for contoso.com, as this is the root domain level and not a subdomain.

    A wildcard certificate is what Microsoft provides for the *.azurewebsites.net domain name automatically created for your Azure web app.

  • subjectAltName is an certificate extension that allows various values, or Subject Alternate Names, to be associated with a certificate. For the purpose of SSL certificates, this allows you to add additional DNS names that the certificate will be valid against. For example, a certificate using subjectAltName may have a CN of contoso.com, but may also have alternate names of www.contoso.com, payment.contoso.com, test.login.contoso.com, and even fabrikam.com. Such a certificate would be valid for all domain names specified in the Common Name and subjectAltName.

It is possible for a certificate to provide support for both wildcards and subjectAltName.

Enabling HTTPS for a custom domain name includes the following steps:

Step1: Get a certificate

SSL certificates used with Azure Web Apps must be signed by a Certificate Authority (CA), a trusted third-party who issues certificates for this purpose. If you do not already have one, you will need to obtain one from a company that sells SSL certificates. For a list of Certificate Authorities, see Windows and Windows Phone 8 SSL Root Certificate Program (Members CAs) on the Microsoft TechNet Wiki.

The certificate must meet the following requirements for SSL certificates in Azure:

  • The certificate must contain a private key.
  • The certificate must be created for key exchange, exportable to a Personal Information Exchange (.pfx) file.
  • The certificate's subject name must match the domain used to access the Azure web app. If you need to serve multiple domains with this certificate, you will need to use a wildcard value or specify subjectAltName values as discussed previously.

    Note Do not attempt to obtain or generate a certificate for the azurewebsites.net domain.

  • The certificate should use a minimum of 2048-bit encryption.

    Note Certificates issued from private CA servers are not supported by Azure Web Apps.

To get an SSL certificate from a Certificate Authority you must generate a Certificate Signing Request (CSR), which is sent to the CA. The CA will then return a certificate that is used to complete the CSR. Two common ways to generate a CSR are by using the certmgr.exe or OpenSSL applications. Certmgr.exe is only available on Windows, while OpenSSL is available for most platforms. The steps for using both of these utilities are below.

Note Elliptic Curve Cryptography (ECC) certificates are supported with Azure Web Apps; however, they are relatively new and you should work with your CA on the exact steps to create the CSR. Once you have obtained an ECC certificate, you can upload it to your Azure web app as described in the steps below.

You may also need to obtain intermediate certificates (also known as chain certificates), if these are used by your CA. The use of intermediate certificates is considered more secure than 'unchained certificates', so it is common for a CA to use them. Intermediate certificates are often provided as a separate download from the CAs website. Ensure that any intermediate certificates are merged with the certificate uploaded to your Azure web app.

Azure Web Apps and Intermediate certificates

Using SSL with Azure Web Apps is a popular scenario, and while uploading and assigning a cert to your Azure web app is usually simple and straightforward, some customers have had challenges with this when their certificate provider uses Intermediate certificates.

Intermediate certificates (also known as Chain certificates) are used by some certificate resellers, and their use is becoming more prevalent, as providers consider this to be more secure. For example, VeriSign and GoDaddy have stopped issuing unchained certificates in the past few years, and this affects providers depending on them such as Thawte and GeoTrust as well, of course.

Naturally, Azure Web Apps fully supports this scenario, and to get it right, you just need to be aware of the steps you need to take to get the intermediate certificate in there. The most common reason for a problem with this is when our customers try to upload the intermediate certificate itself to our servers. Another common mishap is when a customer tries to upload his certificate without including the intermediate one. In either case, this could lead to some browsers issuing an alert that the site is untrusted (for the most part, the user can still proceed, but this error is certainly alarming to many users and should be avoided).

To be clear – when a certificate provider uses the chained certificate model, you do need to upload it, but the right way to deal with it is upload both in one piece. As you may recall from our previous post on this topic, you are supposed to export your certificate to a PFX file (this is required so that the certificate includes its private key) for the purpose of the upload…and if that certificate was issued from an intermediate CA, you just need to make sure that your export includes** the intermediate certificate. To do so, make sure you check the option of Include all certificates in the certification path if possible:

Include all certificates in the certification path
 

Doing this will result in a slightly larger PFX file, which will include all the information Azure servers need to deal with the certificate. To be clear, you shouldn’t export the Intermediate certificate itself, but rather your own server certificate. When you do so and check the correct option, the export includes both certificates in the PFX file, and Azure servers will deal with it correctly.

Note An important thing to note here is that for this export to work right, the computer on which you perform it has to have that intermediate certificate itself. When a certificate provider issues a certificate, it will usually provide you with the information and/or link to install the cert, but in case you missed it or unsure, we advise you look for the mail and follow the instructions. You can also search your providers website for related information (for example, here’s GoDaddy’s page and VeriSign's page).

Note When following either series of steps, you will be prompted to enter a Common Name. If you will be obtaining a wildcard certificate for use with multiple domains (www.contoso.com, sales.contoso.com,) then this value should be *.domainname (for example, *.contoso.com). If you will be obtaining a certificate for a single domain name, this value must be the exact value that users will enter in the browser to visit your website. For example, www.contoso.com.

If you need to support both a wildcard name like *.contoso.com and a root domain name like contoso.com, you can use a wildcard Subject Alternative Name (SAN) certificate. For an example of creating a certificate request that uses the SubjectAltName extensions, see the Get SubjectAltName certificates section.

Get a certificate using Certreq.exe (Windows only)

Certreq.exe is Windows utility for creating certificate requests. It has been part of the base Windows installation since Windows XP/Windows Server 2000, so should be available on recent Windows systems. Use the following steps to obtain an SSL certificate using certreq.exe.

If you wish to create a self-signed certificate for testing, see the “Self-signed Certificates” section of this document.

If you wish to use the IIS Manager to create a certificate request, see the “Get a certificate using IIS Manager” section.

  1. Open Notepad and create a new document that contains the following. Replace mysite.com on the Subject line with the custom domain name of your website. For example, Subject = "CN=www.contoso.com".
    [NewRequest]Subject = "CN=mysite.com"Exportable = TRUEKeyLength = 2048KeySpec = 1KeyUsage = 0xA0MachineKeySet = TrueProviderName = "Microsoft RSA SChannel Cryptographic Provider"ProviderType = 12RequestType = CMC[EnhancedKeyUsageExtension]OID=1.3.6.1.5.5.7.3.1         

    For more information on the options specified above, as well as other available options, see the Certreq reference documentation.

  2. Save the text file as myrequest.txt.
  3. From the Start Screen or Start Menu, run cmd.exe.
  4. From the command prompt, use the following command to create the certificate request file:
    certreq -new \path\to\myrequest.txt \path\to\create\myrequest.csr

    Specify the path to the myrequest.txt file created in step 1, and the path to use when creating the myrequest.csr file.

  5. Submit the myrequest.csr to a Certificate Authority to obtain an SSL certificate. This may involve uploading the file, or opening the file in Notepad and pasting the contents directly into a web form.

    For a list of Certificate Authorities, see Windows and Windows Phone 8 SSL Root Certificate Program (Members CAs) on the Microsoft TechNet Wiki.

  6. Once the Certificate Authority has provided you with a certificate (.CER) file, save this file to the computer used to generate the request, and then use the following command to accept the request and complete the certificate generation process.
    certreq -accept -user mycert.cer

    In this case, the mycert.cer certificate received from the Certificate Authority will be used to complete the signature of the certificate. No file will be created; instead, the certificate will be stored in the Windows certificate store.

  7. If your CA uses intermediate certificates, you must install these certificates before exporting the certificate in the next steps. Usually these certificates are provided as a separate download from your CA, and are provided in several formats for different web server types. Select the version that is provided for Microsoft IIS.

    Once you have downloaded the certificate, right click on it in explorer and select Install certificate. Use the default values in the Certificate Import Wizard, and continue selecting Next until the import has completed.

  8. To export the certificate from the certificate store, run certmgr.msc from the Start Screen or Start Menu. When Certificate Manager appears, expand the Personal folder, and then select Certificates. In the Issued To field, look for an entry with the custom domain name you requested a certificate for. In the Issued By field, it should list the Certificate Authority you used for this certificate.
    waws-certmgr
     
  9. Right click the certificate and select All Tasks, and then select Export. In the Certificate Export Wizard, click Next and then select Yes, export the private key. Click Next.
    waws-certwiz1
     
  10. Select Personal Information Exchange - PKCS #12, Include all certificates in the certificate chain, and Export all extended properties. Click Next.
    waws-certwiz2
     
  11. Select Password, and then enter and confirm the password. Click Next.
    waws-certwiz3
     
  12. Provide a path and filename that will contain the exported certificate. The filename should have an extension of .pfx. Click Next to complete the process.
    waws-certwiz4
     
  13. You can now upload the exported PFX file to your Azure web app.

Get a certificate using OpenSSL

  1. Generate a private key and Certificate Signing Request by using the following from a command-line, bash or terminal session:
    openssl req -new -nodes -keyout myserver.key -out server.csr -newkey rsa:2048
  2. When prompted, enter the appropriate information. For example:
    Country Name (2 letter code)State or Province Name (full name) []: WashingtonLocality Name (eg, city) []: RedmondOrganization Name (eg, company) []: MicrosoftOrganizational Unit Name (eg, section) []: AzureCommon Name (eg, YOUR name) []: www.microsoft.comEmail Address []:Please enter the following 'extra' attributes to be sent with your certificate requestA challenge password []:

    Once this process completes, you should have two files; myserver.key and server.csr. The server.csr contains the Certificate Signing Request.

  3. Submit your CSR to a Certificate Authority to obtain an SSL certificate. For a list of Certificate Authorities, see Windows and Windows Phone 8 SSL Root Certificate Program (Members CAs) on the Microsoft TechNet Wiki.
  4. Once you have obtained a certificate from a CA, save it to a file named myserver.crt. If your CA provided the certificate in a text format, simply paste the certificate text into the myserver.crt file. The file contents should be similar to the following when viewed in a text editor:
    -----BEGIN CERTIFICATE-----MIIDJDCCAgwCCQCpCY4o1LBQuzANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1JlZG1vbmQxEDAOBgNVBAsTB0NvbnRvc28xFDASBgNVBAMTC2NvbnRvc28uY29tMB4XDTE0MDExNjE1MzIyM1oXDTE1MDExNjE1MzIyM1owVDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdSZWRtb25kMRAwDgYDVQQLEwdDb250b3NvMRQwEgYDVQQDEwtjb250b3NvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN96hBX5EDgULtWkCRK7DMM3enae1LT9fXqGlbA7ScFvFivGvOLEqEPD//eLGsf15OYHFOQHK1hwgyfXa9sEDPMT3AsF3iWyF7FiEoR/qV6LdKjeQicJ2cXjGwf3G5vPoIaYifI5r0lhgOUqBxzaBDZ4xMgCh2yv7NavI17BHlWyQo90gS2X5glYGRhzY/fGp10BeUEgIs3Se0kQfBQOFUYbktA6802lod5K0OxlQy4Oc8kfxTDf8AF2SPQ6BL7xxWrNl/Q2DuEEemjuMnLNxmeAktA6802lod5K0OxlQy4Oc8kfxTDf8AF2SPQ6BL7xxWrNl/Q2DuEEemjuMnLNxmeAIk2+6Z6+WdvJoRxqHhleoL8ftOpWR20ToiZXCPo+fcmLod4ejsG5qjBlztVY4qsCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAVcM9AeeNFv2li69qBZLGDuK0NDHD3zhKY0nDkqucgjE2QKUuvVSPodz8qwHnKoPwnSrTn8CRjW1gFq5qWEO50dGWgyLR8Wy1F69DYsEzodG+shv/G+vHJZg9QzutsJTB/Q8OoUCSnQS1PSPZP7RbvDV9b7Gx+gt7kQ55j3A5vOrpI8N9CwdPuimtu6X8Ylw9ejWZsnyy0FMeOPpK3WTkDMxwwGxkU3YlCRTzkv6vnHrlYQxyBLOSafCB1RWinN/slcWSLHADB6R+HeMiVKkFpooT+ghtii1A9PdUQIhK9bdaFicXPBYZ6AgNVuGtfwyuS5V6ucm7RE6+qf+QjXNFg==-----END CERTIFICATE-----

    Save the file.

  5. From the command-line, Bash or terminal session, use the following command to convert the myserver.key and myserver.crt into myserver.pfx, which is the format required by Azure Web Apps:
    openssl pkcs12 -export -out myserver.pfx -inkey myserver.key -in myserver.crt
  6. When prompted, enter a password to secure the .pfx file.

    Note If your CA uses intermediate certificates, you must install these certificates before exporting the certificate in the next step. Usually these certificates are provided as a separate download from your CA, and are provided in several formats for different web server types. Select the version that is provided as a PEM file (.pem file extension.)

    The follow command demonstrates how to create a .pfx file that includes intermediate certificates, which are contained in the intermediate-cets.pem file:

    openssl pkcs12 -export -out myserver.pfx -inkey myserver.key -in myserver.crt -certfile intermediate-cets.pem

    After running this command, you should have a myserver.pfx file suitable for use with Azure Web Apps.

Get SubjectAltName certificates (Optional)

OpenSSL can be used to create a certificate request that uses the SubjectAltName extension to support multiple domain names with a single certificate, however it requires a configuration file. The following steps walk through creating a configuration file, and then using it to request a certificate.

  1. Create a new file named sancert.cnf and use the following as the contents of the file:
    # -------------- BEGIN custom sancert.cnf -----HOME = .oid_section = new_oids[ new_oids ][ req ]default_days = 730distinguished_name = req_distinguished_nameencrypt_key = nostring_mask = nombstrreq_extensions = v3_req # Extensions to add to certificate request[ req_distinguished_name ]countryName = Country Name (2 letter code)countryName_default =stateOrProvinceName = State or Province Name (full name)stateOrProvinceName_default =localityName = Locality Name (eg, city)localityName_default =organizationalUnitName = Organizational Unit Name (eg, section)organizationalUnitName_default =commonName = Your common name (eg, domain name)commonName_default = www.mydomain.comcommonName_max = 64[ v3_req ]subjectAltName=DNS:ftp.mydomain.com,DNS:blog.mydomain.com,DNS:*.mydomain.com# -------------- END custom sancert.cnf -----

    Note the line that begins with 'subjectAltName'. Replace the domain names currently listed with domain names you wish to support in addition to the common name. For example:

    subjectAltName=DNS:sales.contoso.com,DNS:support.contoso.com,DNS:fabrikam.com

    You do not need to change the commonName_default field, as you will be prompted to enter your common name in one of the following steps.

  2. Save the sancert.cnf file.
  3. Generate a private key and Certificate Signing Request by using the sancert.cnf configuration file. From a bash or terminal session, use the following command:
    openssl req -new -nodes -keyout myserver.key -out server.csr -newkey rsa:2048 -config sancert.cnf
  4. When prompted, enter the appropriate information. For example:
    Country Name (2 letter code) []: USState or Province Name (full name) []: WashingtonLocality Name (eg, city) []: RedmondOrganizational Unit Name (eg, section) []: AzureYour common name (eg, domain name) []: www.microsoft.com

    Once this process completes, you should have two files; myserver.key and server.csr. The server.csr contains the Certificate Signing Request.

  5. The rest steps are the same as step 3 to step 5 of the “Get a certificate using OpenSSL” section.

Get a certificate using the IIS Manager (Optional)

If you are familiar with IIS Manager, you can use it to generate a certificate that can be used with Azure Web Apps.

  1. Generate a Certificate Signing Request (CSR) with IIS Manager to send to the Certificate Authority. For more information on generating a CSR, see Request an Internet Server Certificate (IIS 7).
  2. Submit your CSR to a Certificate Authority to obtain an SSL certificate. For a list of Certificate Authorities, see Windows and Windows Phone 8 SSL Root Certificate Program (Members CAs) on the Microsoft TechNet Wiki.
  3. Complete the CSR with the certificate provided by the Certificate Authority vendor. For more information on completing the CSR, see Install an Internet Server Certificate (IIS 7).
  4. If your CA uses intermediate certificates, you must install these certificates before exporting the certificate in the next step. Usually these certificates are provided as a separate download from your CA, and are provided in several formats for different web server types. Select the version that is provided for Microsoft IIS.

    Once you have downloaded the certificate, right click on it in explorer and select Install certificate. Use the default values in the Certificate Import Wizard, and continue selecting Next until the import has completed.

  5. Export the certificate from IIS Manager For more information on exporting the certificate, see Export a Server Certificate (IIS 7). The exported file will be used in later steps to upload to Azure for use with your Azure web app.


    Note During the export process, be sure to select the option Yes, export the private key. This will include the private key in the exported certificate. During the export process, be sure to select the option include all certs in the certification path and Export all extended properties. This will include any intermediate certificates in the exported certificate.

Get self-signed certificates (Optional)

In some cases you may wish to obtain a certificate for testing, and delay purchasing one from a trusted CA until you go into production. Self-signed certificates can fill this gap. A self-signed certificate is a certificate you create and sign as if you were a Certificate Authority. While this certificate can be used to secure a website, most browsers will return errors when visiting the site as the certificate was not signed by a trusted CA. Some browsers may even refuse to allow you to view the site.

While there are multiple ways to create a self-signed certificate, this article only provides information on using makecert and OpenSSL.

Create a self-signed certificate using makecert

You can create a test certificate from a Windows system that has Visual Studio installed by performing the following:

  1. From the Start Menu or Start Screen, search for Developer Command Prompt. Finally, right-click Developer Command Prompt and select Run As Administrator. If you receive a User Account Control dialog, select Yes to continue.
  2. From the Developer Command Prompt, use the following command to create a new self-signed certificate. You must substitute serverdnsname with the DNS of your website.
    makecert -r -pe -b 01/01/2013 -e 01/01/2014 -eku 1.3.6.1.5.5.7.3.1 -ss My -n CN=serverdnsname -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048

    This command will create a certificate that is good between the dates of 01/01/2013 and 01/01/2014, and will store the location in the CurrentUser certificate store.

  3. From the Start Menu or Start Screen, search for Windows PowerShell and start this application.
  4. From the Windows PowerShell prompt, use the following commands to export the certificate created previously:
    $mypwd = ConvertTo-SecureString -String "password" -Force -AsPlainTextget-childitem cert:\currentuser\my -dnsname serverdnsname | export-pfxcertificate -filepath file-to-export-to.pfx -password $ypwd

    This stores the specified password as a secure string in $mypwd, then finds the certificate by using the DNS name specified by the dnsname parameter, and exports to the file specified by the filepath parameter. The secure string containing the password is used to secure the exported file.

Create a self-signed certificate using OpenSSL
  1. Create a new document named serverauth.cnf, using the following as the contents of this file:
    [ req ]default_bits = 2048default_keyfile = privkey.pemdistinguished_name = req_distinguished_nameattributes = req_attributesx509_extensions = v3_ca[ req_distinguished_name ]countryName = Country Name (2 letter code)countryName_min = 2countryName_max = 2stateOrProvinceName = State or Province Name (full name)localityName = Locality Name (eg, city)0.organizationName = Organization Name (eg, company)organizationalUnitName = Organizational Unit Name (eg, section)commonName = Common Name (eg, your website's domain name)commonName_max = 64emailAddress = Email AddressemailAddress_max = 40[ req_attributes ]challengePassword = A challenge passwordchallengePassword_min = 4challengePassword_max = 20[ v3_ca ]subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid:always,issuer:alwaysbasicConstraints = CA:falsekeyUsage=nonRepudiation, digitalSignature, keyEnciphermentextendedKeyUsage = serverAuth

    This specifies the configuration settings required to produce an SSL certificate that can be used by Azure Web Apps.

  2. Generate a new self-signed certificate by using the following from a command-line, bash or terminal session:
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout myserver.key -out myserver.crt -config serverauth.cnf
    This creates a new certificate using the configuration settings specified in the serverauth.cnf file.
  3. To export the certificate to a .PFX file that can be uploaded to an Azure web app, use the following command:
    openssl pkcs12 -export -out myserver.pfx -inkey myserver.key -in myserver.crt

    When prompted, enter a password to secure the .pfx file.
    The myserver.pfx produced by this command can be used to secure your Azure web app for testing purposes.

Step2: Configure App Service plan to use Standard

Enabling HTTPS for a custom domain is only available for the Standard and Premium pricing tiers in Azure App Service. Use the following steps to switch your App Service plan to standard or Premium tier.

  1. In your browser, open the Azure Portal.
  2. On the App Service tab, click the name of your Azure web app.
    web app settings custom domains and ssl

  3. On the Settings blade, click Scale Up.
    
    web app settings scale up plan
  4. On the Choose your pricing tier blade, click a pricing tier and then click Select.

Step3: Configure SSL

Before performing the steps in this section, you must have associated a custom domain name with your Azure web app.

  1. From the Azure Portal, click the name of your Azure web app.
  2. On the Settings blade, click Custom domains and SSL.
    web app settings custom domains and ssl

  3. On the Custom domains and SSL blade, click Upload Certificate.
    web app settings upload certificate

  4. On the Upload Certificate blade, select the .pfx certificate file created earlier. Specify the password, if any. The password was used to secure the .pfx file.
    
    web app settings upload certificate specify file
     
  5. Click Save to upload the certificate.
  6. Go back to the Custom domains and SSL blade. In the SSL bindings section, specify the domain to secure with SSL, and the certificate to use. You may also specify whether to use SNI or IP based SSL.
    web app settings ssl bindings
       
    • IP based SSL associates a certificate with a domain name by mapping the dedicated public IP address of the server to the domain name. This requires each domain name (contoso.com, fabricam.com, etc.) associated with your service to have a dedicated IP address. This is the traditional method of associating SSL certificates with a web server.
    • SNI based SSL is an extension to SSL and Transport Layer Security (TLS) that allows multiple domains to share the same IP address, with separate security certificates for each domain. Most modern browsers (including Internet Explorer, Chrome, Firefox and Opera) support SNI, however older browsers may not support SNI. For more information on SNI, see the Server Name Indication article on Wikipedia.
  7. Click Save to save the changes and enable SSL.

    Note If you specified an IP based SSL binding, a dedicated IP address is assigned to your Azure web app. To find this IP address, click Properties on the Settings blade.

    web app settings properties
     

At this point, you should be able to visit your Azure web app using HTTPS to verify that the certificate has been configured correctly.

Does your Azure web app use Traffic Manager?

When you use a Microsoft Azure Traffic Manager to load balance traffic to your Azure web app, that web app can then be accessed using the *.trafficmanager.net domain name assigned by Azure.

If you do not already have a Traffic Manager profile, create one by referring to the "Create Your ATM Profile" topic in article: Using Azure Traffic Manager with Azure Web Apps

Note the .trafficmanager.net domain name associated with your Traffic Manager profile, as this will be used later by later steps in this guide. 


Does your Azure web app use Traffic Manager?

Does your Azure web app use Traffic Manager?

When you use a Microsoft Azure Traffic Manager to load balance traffic to your Azure web app, that web app can then be accessed using the *.trafficmanager.net domain name assigned by Azure.

If you do not already have a Traffic Manager profile, create one by referring to the "Create Your ATM Profile" topic in article: Using Azure Traffic Manager with Azure Web Apps

Note the .trafficmanager.net domain name associated with your Traffic Manager profile, as this will be used later by later steps in this guide. 


Does your Azure web app use Traffic Manager?

Does your Azure web app use Traffic Manager?

When you use a Microsoft Azure Traffic Manager to load balance traffic to your Azure web app, that web app can then be accessed using the *.trafficmanager.net domain name assigned by Azure.

If you do not already have a Traffic Manager profile, create one by referring to the "Create Your ATM Profile" topic in article: Using Azure Traffic Manager with Azure Web Apps

Note the .trafficmanager.net domain name associated with your Traffic Manager profile, as this will be used later by later steps in this guide. 


Does your Azure web app use Traffic Manager?

Does your Azure web app use Traffic Manager?

When you use a Microsoft Azure Traffic Manager to load balance traffic to your Azure web app, that web app can then be accessed using the *.trafficmanager.net domain name assigned by Azure.

If you do not already have a Traffic Manager profile, create one by referring to the "Create Your ATM Profile" topic in article: Using Azure Traffic Manager with Azure Web Apps

Note the .trafficmanager.net domain name associated with your Traffic Manager profile, as this will be used later by later steps in this guide. 


Does your Azure web app use Traffic Manager?

Does your Azure web app use Traffic Manager?

When you use a Microsoft Azure Traffic Manager to load balance traffic to your Azure web app, that web app can then be accessed using the *.trafficmanager.net domain name assigned by Azure.

If you do not already have a Traffic Manager profile, create one by referring to the "Create Your ATM Profile" topic in article: Using Azure Traffic Manager with Azure Web Apps

Note the .trafficmanager.net domain name associated with your Traffic Manager profile, as this will be used later by later steps in this guide. 


Does your Azure web app use Traffic Manager?

Does your Azure web app use Traffic Manager?

When you use a Microsoft Azure Traffic Manager to load balance traffic to your Azure web app, that web app can then be accessed using the *.trafficmanager.net domain name assigned by Azure.

If you do not already have a Traffic Manager profile, create one by referring to the "Create Your ATM Profile" topic in article: Using Azure Traffic Manager with Azure Web Apps

Note the .trafficmanager.net domain name associated with your Traffic Manager profile, as this will be used later by later steps in this guide. 


Does your Azure web app use Traffic Manager?

Does your Azure web app use Traffic Manager?

When you use a Microsoft Azure Traffic Manager to load balance traffic to your Azure web app, that web app can then be accessed using the *.trafficmanager.net domain name assigned by Azure.

If you do not already have a Traffic Manager profile, create one by referring to the "Create Your ATM Profile" topic in article: Using Azure Traffic Manager with Azure Web Apps

Note the .trafficmanager.net domain name associated with your Traffic Manager profile, as this will be used later by later steps in this guide. 


Does your Azure web app use Traffic Manager?

Does your Azure web app use Traffic Manager?

When you use a Microsoft Azure Traffic Manager to load balance traffic to your Azure web app, that web app can then be accessed using the *.trafficmanager.net domain name assigned by Azure.

If you do not already have a Traffic Manager profile, create one by referring to the "Create Your ATM Profile" topic in article: Using Azure Traffic Manager with Azure Web Apps

Note the .trafficmanager.net domain name associated with your Traffic Manager profile, as this will be used later by later steps in this guide. 


Does your Azure web app use Traffic Manager?

Secure a web application (HTTPS) in an Azure web app

One of the challenges of developing a web application is how to provide a safe and secure service for your customers. This guide discusses the features of Azure Web Apps that can secure your web application.

Note A full discussion of security considerations for web-based applications is beyond the scope of this guide. As a starting point for further guidance on securing web applications, see the Open Web Application Security Project (OWASP), specifically the top 10 project., which lists the current top 10 critical web application security flaws, as determined by OWASP members.

Secure communications

If you use the .azurewebsites.net domain name created for your Azure web app, you can immediately use HTTPS, as an SSL certificate is provided for all **.azurewebsites.net** domain names. If your Azure web app uses a custom domain name, you can upload an SSL certificate to enable HTTPS for the custom domain. For more information, watch the video talks about how SSL works in Azure Web Apps.

Asset not found

Enforce HTTPS

Azure Web Apps do not enforce HTTPS; visitors may still access your Azure web app using HTTP, which might expose sensitive information. To enforce HTTPS, use the URL Rewrite module. The URL Rewrite module is included with Azure Web Apps, and allows you to define rules that are applied to incoming requests before the requests are handed to your application. It can be used for applications written in any programming language supported by Azure Web Apps.

Note NET MVC applications should use the RequireHttps filter instead of URL Rewrite. For more information on using RequireHttps, see Deploy a secure ASP.NET MVC 5 app to an Azure web app.

For information on programmatic redirection of requests using other programming languages and frameworks, consult the documentation for those technologies.

URL Rewrite rules are defined in a web.config file stored in the root of your application. The following example contains a basic URL Rewrite rule that forces all incoming traffic to use HTTPS.

URL Rewrite Example web.Config<?xml version="1.0" encoding="UTF-8"?><configuration><system.webServer><rewrite><rules><rule name="Force HTTPS" enabled="true"><match url="(.*)" ignoreCase="false" /><conditions><add input="{HTTPS}" pattern="off" /></conditions><action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" /></rule></rules></rewrite></system.webServer></configuration>

This rule works by returning an HTTP status code of 301 (permanent redirect) when the user requests a page using HTTP. The 301 redirects the request to the same URL as the visitor requested, but replaces the HTTP portion of the request with HTTPS. For example, HTTP://contoso.com would be redirected to HTTPS://contoso.com.

Note If your application is written in Node.js, PHP, Python Django, or Java, it probably doesn't include a web.config file. However Node.js, Python Django, and Java all actually do use a web.config when hosted on Azure Web Apps - Azure creates the file automatically during deployment, so you never see it. If you include one as part of your application, it will override the one that Azure automatically generates.

web.config for .NET

For .NET applications, modify the web.config file for your application and add the <rewrite> section from the example to the <system.WebServer> section.

If your web.config file already includes a <rewrite> section, add the <rule> from the example as the first entry in the <rules> section.

web.config for PHP

For PHP applications, simply save the above URL Rewrite example as a web.config file in the root of your application, then re-deploy the application to your Azure web app.

web.config for Node.js, Python Django, and Java

A web.config file is automatically created for Node.js, Python Django, and Java apps if they don't already provide one, but it only exists on the server since it is created during deployment. The automatically generated file contains settings that tell Azure how to host your application.

To retrieve and modify the auto-generated file from the Website, use the following steps.

  1. Download the file using FTP (see Uploading/downloading files over FTP and collecting diagnostics logs).
  2. Add it to the root of your application.
  3. Add the rewrite rules using the following information.
    • Node.js and Python Django

      The web.config file generated for Node.js and Python Django applications will already have a <rewrite> section, containing <rule> entries that are required for the proper functioning of the site. To force the site to use HTTPS, add the <rule> from the example as the first entry in the <rules> section. This will force HTTPS, while leaving the rest of the rules intact.

    • Java

      The web.config file for Java applications using Apache Tomcat do not contain a <rewrite> section, so you must add the <rewrite> section from the example into the <system.webServer> section.

  4. Redeploy the project (including the updated web.config,) to Azure.

Once you deploy a web.config with a rewrite rule to force HTTPS, it should take effect immediately and redirect all requests to HTTPS.

For more information on the IIS URL Rewrite module, see the URL Rewrite documentation.

Next steps

For more information on the security of the Azure platform, information on reporting a security incident or abuse, or to inform Microsoft that you will be performing penetration testing of your Azure web app, see the security section of the Microsoft Azure Trust Center.

For more information on web.config or applicationhost.config files in Azure Web Apps, see Configuration options unlocked in Azure Web Apps.

For information on logging information for Azure Web Apps, which may be useful in detecting attacks, see Enable diagnostic logging.


Were you able to enforce HTTPS for Azure web app visitors?

Secure an application (SSL) in Azure Cloud Services

Secure Socket Layer (SSL) encryption is the most commonly used method of securing data sent across the internet. This guide discusses how to specify an HTTPS endpoint for a web role and how to upload an SSL certificate to secure your application.

This task includes the following steps:
Note This task will use a production deployment; information on using a staging deployment is provided at the end of this topic.

Step1: Get an SSL certificate

To configure SSL for an application, you first need to get an SSL certificate that has been signed by a Certificate Authority (CA), a trusted third-party who issues certificates for this purpose. If you do not already have one, you will need to obtain one from a company that sells SSL certificates.

The certificate must meet the following requirements for SSL certificates in Azure:

  • The certificate must contain a private key.
  • The certificate must be created for key exchange, exportable to a Personal Information Exchange (.pfx) file.
  • The certificate's subject name must match the domain used to access the cloud service. You cannot obtain an SSL certificate from a certificate authority (CA) for the cloudapp.net domain. You must acquire a custom domain name to use when access your service. When you request a certificate from a CA the certificate's subject name must match the custom domain name used to access your application. For example, if your custom domain name is contoso.com you would request a certificate from your CA for *.contoso.com or www.contoso.com.
  • The certificate must use a minimum of 2048-bit encryption.

For test purposes, you can create and use a self-signed certificate. A self-signed certificate is not authenticated through a CA and can use the cloudapp.net domain as the website URL. For example, the task below uses a self-signed certificate in which the common name (CN) used in the certificate is sslexample.cloudapp.net. For details about how to create a self-signed certificate using IIS Manager, See Create and export a self-signed certificate.

Next, you must include information about the certificate in your service definition and service configuration files.

Step2:Modify the service definition and configuration files

Your application must be configured to use the certificate, and an HTTPS endpoint must be added. As a result, the service definition and service configuration files need to be updated.

  1. In your development environment, open the service definition file (CSDEF), add a Certificates section within the WebRole section, and include the following information about the certificate:
    <WebRole name="CertificateTesting" vmsize="Small">...<Certificates><Certificate name="SampleCertificate"storeLocation="LocalMachine"storeName="CA" /></Certificates>...</WebRole>

    The Certificates section defines the name of our certificate, its location, and the name of the store where it is located. We have chosen to store the certificate in the CA (Certificate Authority) store, but you can choose other options as well.

  2. In your service definition file, add an InputEndpoint element within the Endpoints section to enable HTTPS:
    <WebRole name="CertificateTesting" vmsize="Small">...<Endpoints><InputEndpoint name="HttpsIn" protocol="https" port="443"certificate="SampleCertificate" /></Endpoints>...</WebRole>
  3. In your service definition file, add a Binding element within the Sites section. This adds an HTTPS binding to map the endpoint to your site:
    <WebRole name="CertificateTesting" vmsize="Small">...<Sites><Site name="Web"><Bindings><Binding name="HttpsIn" endpointName="HttpsIn" /></Bindings></Site></Sites>...</WebRole>

    All of the required changes to the service definition file have been completed, but you still need to add the certificate information to the service configuration file.

  4. In your service configuration file (CSCFG), ServiceConfiguration.Cloud.cscfg, add a Certificates section within the Role section, replacing the sample thumbprint value shown below with that of your certificate:
    <Role name="Deployment">...<Certificates><Certificate name="SampleCertificate"thumbprint="9427befa18ec6865a9ebdc79d4c38de50e6316ff"thumbprintAlgorithm="sha1" /></Certificates>...</Role>

(The example above uses sha1 for the thumbprint algorithm. Specify the appropriate value for your certificate's thumbprint algorithm.)

Now that the service definition and service configuration files have been updated, package your deployment for uploading to Azure. If you are using cspack, ensure that you don't use the /generateConfigurationFile flag, as that will overwrite the certificate information you just inserted.

Step3: Upload the deployment package and certificate

Your deployment package has been updated to use the certificate, and an HTTPS endpoint has been added. Now you can upload the package and certificate to Azure with the Management Portal.

  1. Log into the Azure Management Portal.
  2. Click New, click Cloud Service, and then click Custom Create.
  3. In the Create a cloud service dialog, enter values for the URL, region/affinity group, and subscription. Ensure Deploy a cloud service package now is checked, and click the Next button.
  4. In the Publish your cloud service dialog, enter the required information for your cloud service, select Production for the environment, and ensure Add certificates now is checked. (If any of your roles contain a single instance, ensure Deploy even if one or more roles contain a single instance is checked.)
    createcloudservice
     
  5. Click the Next button.
  6. In the Add Certificate dialog, enter the location for the SSL certificate .pfx file, the password for the certificate, and click attach certificate.
    addcertificate
     
  7. Ensure your certificate is listed in the Attached Certificates section.
    addcertificatecomplete
     
  8. Click the Complete button to create your cloud service. When the deployment has reached the Ready status, you can proceed to the next steps.

Step4:Connect to the role instance by using HTTPS

Now that your deployment is up and running in Azure, you can connect to it using HTTPS.

  1. In the Management Portal, select your deployment, then click the link under Site URL.
    copyurl
     
  2. In your web browser, modify the link to use https instead of http, and then visit the page.

    Note If you are using a self-signed certificate, when you browse to an HTTPS endpoint that's associated with the self-signed certificate you will see a certificate error in the browser. Using a certificate signed by a trusted certification authority will eliminate this problem; in the meantime, you can ignore the error. (Another option is to add the self-signed certificate to the user's trusted certificate authority certificate store.)

    sslcloudservice
     

If you want to use SSL for a staging deployment instead of a production deployment, you'll first need to determine the URL used for the staging deployment. Deploy your cloud service to the staging environment without including a certificate or any certificate information. Once deployed, you can determine the GUID-based URL, which is listed in the management portal's Site URL field. Create a certificate with the common name (CN) equal to the GUID-based URL (for example, 32818777-6e77-4ced-a8fc-57609d404462.cloudapp.net), use the management portal to add the certificate to your staged cloud service, add the certificate information to your CSDEF and CSCFG files, repackage your application, and update your staged deployment to use the new package and CSCFG file.


Were you able to access your application with HTTPS?

Congratulations, your task is completed!
Other resources

Sorry this guide cannot help you with your task. You can find additional support options at the following Azure sites:


Properties

Article ID: 10065 - Last Review: May 11, 2016 - Revision: 205

Feedback