This guide walks through setting up Azure Front Door (AFD) to front an Azure App Service using a custom subdomain and automated SSL/TLS certificates.
📋 Prerequisites
- An existing Azure App Service (e.g.,
app-sea-3446.azurewebsites.net). - A domain managed in a DNS provider (e.g., AWS Route53).
- Azure CLI installed and authenticated.
Architure
🏗️ Phase 1: Infrastructure Setup
First, we create the Front Door profile, endpoint, and origin group.
# Variables
RG="rg-afd-lab"
PROFILE_NAME="afd-profile"
ENDPOINT_NAME="afd-endpoint"
ORIGIN_GROUP="app-origin-group"
APP_HOSTNAME="app-sea-3446.azurewebsites.net"
# 1. Create Profile
az afd profile create -g $RG --profile-name $PROFILE_NAME --sku Standard_AzureFrontDoor
# 2. Create Endpoint
az afd endpoint create -g $RG --profile-name $PROFILE_NAME --endpoint-name $ENDPOINT_NAME --enabled-state Enabled
# 3. Create Origin Group with Health Probes
az afd origin-group create -g $RG --profile-name $PROFILE_NAME --origin-group-name $ORIGIN_GROUP \
--probe-request-type GET --probe-protocol Https --probe-path "/" --probe-interval-in-seconds 30
# 4. Add App Service as the Origin
az afd origin create -g $RG --profile-name $PROFILE_NAME --origin-group-name $ORIGIN_GROUP \
--origin-name sea-origin --host-name $APP_HOSTNAME --origin-host-header $APP_HOSTNAME \
--priority 1 --weight 1000 --enabled-state Enabled
🌐 Phase 2: Custom Domain & Managed TLS
This is where we map your branded URL (hello-azure-fd.chromia.dev) to the Front Door.
SUBDOMAIN_RESOURCE="hello-azure-fd-resource"
SUBDOMAIN_FQDN="hello-azure-fd.xxx.dev"
# 1. Register the Domain with Managed Certificate
az afd custom-domain create -g $RG --profile-name $PROFILE_NAME \
--custom-domain-name $SUBDOMAIN_RESOURCE \
--host-name $SUBDOMAIN_FQDN \
--minimum-tls-version TLS12 \
--certificate-type ManagedCertificate
# 2. Get the Validation Token
az afd custom-domain show -g $RG --profile-name $PROFILE_NAME \
--custom-domain-name $SUBDOMAIN_RESOURCE --query validationProperties.validationToken
🗝️ DNS Configuration (Route53/Manual)
You must add two records to your DNS provider:
-
CNAME Record: Name:
hello-azure-fd, Value:<your-endpoint>.z01.azurefd.net -
TXT Record (Validation): Name:
_dnsauth.hello-azure-fd, Value:[The Token from Step 2]
🛣️ Phase 3: Routing (The Final Link)
The domain won't work until it is linked to a Route.
# Create/Update Route to include the Custom Domain
az afd route create -g $RG --profile-name $PROFILE_NAME --endpoint-name $ENDPOINT_NAME \
--route-name app-route --origin-group $ORIGIN_GROUP --supported-protocols Http Https \
--patterns-to-match "/*" --forwarding-protocol MatchRequest --https-redirect Enabled \
--custom-domains $SUBDOMAIN_RESOURCE --link-to-default-domain Enabled
Result
From Frontdoor domains
curl https://hello-azure-fd.xxx.dev/
Hello from Southeast Asia
🔍 Troubleshooting Tips
| Issue | Cause | Fix |
|---|---|---|
| 404 Not Found | Route not linked | Ensure az afd route update --custom-domains was run. |
| SSL Cert Mismatch | Propagation lag | The edge might show *.azureedge.net for 10-20 mins while the new cert deploys. |
| Validation Pending | Wrong TXT Name | In Route53, don't repeat the domain. Use _dnsauth.hello-azure-fd only. |
| BadRequest Error | Missing Cert Type | AFD Standard requires --certificate-type during the create command. |
💡 Validation Script
Use this one-liner to poll the status until it's live:
az afd custom-domain show -g $RG --profile-name $PROFILE_NAME --custom-domain-name $SUBDOMAIN_RESOURCE \
--query "{Validation:domainValidationState, Deployment:deploymentStatus}" -o table
Top comments (0)