Disabling the Default Domain for Azure Web App: A Step-by-Step Guide
So, you’ve set up a Linux App Service in Azure and now it’s time to connect it to a custom domain. However, you may be wondering about the default domain (*.azurewebsites.net) and how to disable it. In this guide, I will share my experience and provide you with a solution.
Understanding the Default Domain in Azure
When you create a web app in Azure, it automatically receives a subdomain by default. In certain scenarios, you might prefer to disable the default domain and use a custom one. Unfortunately, Azure doesn’t provide a direct option to remove or delete the default domain associated with your web app. This means that the default domain remains accessible to everyone, including search engines like Google. To ensure better security and control over your application, it’s crucial to disable this default domain.
Leveraging Cloudflare for Enhanced Protection
To address this challenge, we can leverage services like Cloudflare, which act as a protective shield for your application. Cloudflare offers a range of security features and benefits, making it an ideal choice for our solution.
Setting Up Cloudflare
To begin, create an account on Cloudflare, even in their free plan, and add your website. Cloudflare will provide you with nameservers that need to be added to your domain’s DNS settings. This process can be easily accomplished through your domain registrar, such as Google Domains, GoDaddy or your preferred domain provider.
Now you have to update the nameservers in our domain provider (Google Domains in my case)
Great! Now we have a new website in Cloudflare
Configuring Your Azure Web App
In the Azure portal, navigate to the settings of your Web App and add your custom domain. This step ensures that your web app is associated with your desired domain name.
Verifying the Domain
Cloudflare requires domain verification to ensure that you have ownership and control over the domain. Follow the instructions provided by Cloudflare to add the necessary TXT record to your DNS configuration. Once the TXT record is set up correctly, Cloudflare will verify your domain.
Add the asuid and CNAME or A records to Cloudflare (under DNS>Records).
Now is the time to click on Verify and add the domain to our web app.
Tip: To ensure that the DNS configuration is correctly set up, you can use tools like NSLookup.
Restricting Access to Cloudflare Servers
To prevent access to your web app’s default domain, we need to restrict access only to Cloudflare’s servers.
This is because Cloudflare acts as a reverse proxy, passing traffic through its own server before sending it to the origin server. As a result, the IP address of the origin server is ambiguous, and the IP address that appears in the DNS record is that of the Cloudflare server processing the request
Azure provides a feature called Access Restrictions that allows us to achieve this. In the Networking section of your Web App’s settings, navigate to Access Restrictions.
Configuring Access Restrictions
In the Access Restrictions settings, change the default setting from “Allow All” to “Deny” inappropriate traffic. This ensures that only desired traffic passes through.
Adding Cloudflare IP Ranges
To enable access exclusively through Cloudflare, we need to whitelist their IP ranges. Cloudflare provides a list of IP addresses that we can manually add to the Access Restrictions settings. Alternatively, you can utilize the Azure CLI (Command-Line Interface) to automate this process.
Then, our list should be looks like this
To ensure that your web app is properly configured to allow access only through Cloudflare, you can run the following command in your command-line interface: “nslookup yourdomain.com”. This command will retrieve the IP address associated with your domain.
Next, compare the obtained IP address with the list of IP addresses provided by Cloudflare. If the IP address matches one from the Cloudflare list, it confirms that your web app is correctly configured to allow access exclusively through Cloudflare. However, if the IP address does not match, it indicates a configuration issue that needs to be addressed.
The Result
After we set up a whitelist for Cloudflare, we have to verify if it works. Let’s enter our default domain and see if access is denied as expected.
By following these steps, you can successfully disable the default domain for your Azure Web App and ensure that access is only granted through your custom domain. Leveraging Cloudflare’s services adds an extra layer of security and control to your application.
With these steps, you can enhance the security and accessibility of your web app in Azure.
