Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
158 lines (96 sloc) 8.52 KB
title description tags ms.topic ms.reviewer ms.custom
Secure a custom DNS with an SSL binding
Secure HTTPS access to your custom domain by creating a TLS/SSL binding with a certificate. Improve your website's security by enforcing HTTPS or TLS 1.2.

Secure a custom DNS name with an SSL binding in Azure App Service

This article shows you how to secure the custom domain in your App Service app or function app by creating a certificate binding. When you're finished, you can access your App Service app at the https:// endpoint for your custom DNS name (for example,

Web app with custom SSL certificate

Securing a custom domain with a certificate involves two steps:

In this tutorial, you learn how to:

[!div class="checklist"]

  • Upgrade your app's pricing tier
  • Secure a custom domain with a certificate
  • Enforce HTTPS
  • Enforce TLS 1.1/1.2
  • Automate TLS management with scripts


To follow this how-to guide:

[!NOTE] The easiest way to add a private certificate is to create a free App Service Managed Certificate (Preview).

[!INCLUDE Prepare your web app]

Secure a custom domain

Do the following steps:

In the Azure portal, from the left menu, select App Services > <app-name>.

From the left navigation of your app, start the TLS/SSL Binding dialog by:

  • Selecting Custom domains > Add binding
  • Selecting TLS/SSL settings > Add TLS/SSL binding

Add binding to domain

In Custom Domain, select the custom domain you want to add a binding for.

If your app already has a certificate for the selected custom domain, go to Create binding directly. Otherwise, keep going.

Add a certificate for custom domain

If your app has no certificate for the selected custom domain, then you have two options:

[!NOTE] You can also Create a free certificate (Preview) or Import a Key Vault certificate, but you must do it separately and then return to the TLS/SSL Binding dialog.

Create binding

Use the following table to help you configure the SSL binding in the TLS/SSL Binding dialog, then click Add Binding.

Setting Description
Custom domain The domain name to add the SSL binding for.
Private Certificate Thumbprint The certificate to bind.
  • SNI SSL - Multiple SNI SSL bindings may be added. This option allows multiple SSL certificates to secure multiple domains on the same IP address. Most modern browsers (including Internet Explorer, Chrome, Firefox, and Opera) support SNI (for more information, see Server Name Indication).
  • IP SSL - Only one IP SSL binding may be added. This option allows only one SSL certificate to secure a dedicated public IP address. After you configure the binding, follow the steps in Remap A record for IP SSL.
    IP SSL is supported only in Production or Isolated tiers.

Once the operation is complete, the custom domain's SSL state is changed to Secure.

SSL binding successful

[!NOTE] A Secure state in the Custom domains means that it is secured with a certificate, but App Service doesn't check if the certificate is self-signed or expired, for example, which can also cause browsers to show an error or warning.

Remap A record for IP SSL

If you don't use IP SSL in your app, skip to Test HTTPS for your custom domain.

By default, your app uses a shared public IP address. When you bind a certificate with IP SSL, App Service creates a new, dedicated IP address for your app.

If you mapped an A record to your app, update your domain registry with this new, dedicated IP address.

Your app's Custom domain page is updated with the new, dedicated IP address. Copy this IP address, then remap the A record to this new IP address.


In various browsers, browse to https://<your.custom.domain> to verify that it serves up your app.

Portal navigation to Azure app

Your application code can inspect the protocol via the "x-appservice-proto" header. The header will have a value of http or https.

[!NOTE] If your app gives you certificate validation errors, you're probably using a self-signed certificate.

If that's not the case, you may have left out intermediate certificates when you export your certificate to the PFX file.

Prevent IP changes

Your inbound IP address can change when you delete a binding, even if that binding is IP SSL. This is especially important when you renew a certificate that's already in an IP SSL binding. To avoid a change in your app's IP address, follow these steps in order:

  1. Upload the new certificate.
  2. Bind the new certificate to the custom domain you want without deleting the old one. This action replaces the binding instead of removing the old one.
  3. Delete the old certificate.

Enforce HTTPS

By default, anyone can still access your app using HTTP. You can redirect all HTTP requests to the HTTPS port.

In your app page, in the left navigation, select SSL settings. Then, in HTTPS Only, select On.

Enforce HTTPS

When the operation is complete, navigate to any of the HTTP URLs that point to your app. For example:

  • http://<app_name>

Enforce TLS versions

Your app allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. To enforce different TLS versions, follow these steps:

In your app page, in the left navigation, select SSL settings. Then, in TLS version, select the minimum TLS version you want. This setting controls the inbound calls only.

Enforce TLS 1.1 or 1.2

When the operation is complete, your app rejects all connections with lower TLS versions.

Automate with scripts

Azure CLI




More resources

You can’t perform that action at this time.