Custom domain free Certificate between Container App and FrontDoor

Question

I want to configure FrontDoor with WAF to expose a container app based on a WordPress image. How can I configure the same custom domain in the container app and in FrontDoor?

It seems that in order to use a free SSL certificate as per the container app documentation, the CNAME record must point directly to the container app without any intermediate CNAME. However, I need Front Door to be the first point of access.

What are the best practices for configuring this setup? Thanks

Answer 1

@Stefano Mancin Thanks for your response.

Please go through the Host name preservation - Azure Architecture Center | Microsoft Learn

• This states that the backend and the reverse proxy should use the same domain
• As this avoids,
  • Incorrect absolute URLs
    • Incorrect redirect URLs
      • Broken cookies

 

In our particular case,

• The Free certificate requirements states that "Mapping to an intermediate CNAME value blocks certificate issuance and renewal."
• This is a limitation from "Free certificate"
• For non-production workloads,
  • You can first map the DNS to Container Apps, and get the certificate issued
    • Then later map the DNS to AFD and get a managed certificate for AFD : Configure HTTPS for your custom domain - Azure Front Door | Microsoft Learn
      • However, as mentioned, this could lead to issues during renewal where you should have a downtime

 

The recommendation is to BYOC (Bring your own certificate)

• In this case, you can use the certificate in both AFD and Container apps via Azure Key Vault
  • Import certificates from Azure Key Vault to Azure Container Apps | Microsoft Learn
  • Configure HTTPS for your custom domain - Azure Front Door | Microsoft Learn
  • This way, you don't have the requirement keep the CNAME pointed towards Container Apps all the time

As of now, there are no plans to integrate the ACA free certificate with AFD or CDN.

Hope this helps, let me know if you have any further questions on this.