Configuring an App Service: Part 1
IntermediateTopic25 min5 min readAzure
Configure custom domains, SSL/TLS certificates, and network settings (inbound and outbound) for Azure App Service — including VNet integration and hybrid connections.
Overview
This guide covers the three core App Service configuration areas:
- Custom domain name — replacing the default
azurewebsites.netURL - Encryption (SSL/TLS) — securing custom domain traffic with certificates
- Network settings — controlling inbound and outbound connectivity
Custom Domain Names
How App Service hostnames work
Every App Service runs in a scale unit — a cluster of up to 1,000 worker nodes in a multi-tenant environment. A shared front-end proxy routes requests to the correct app. By default, each app gets:
https://<app-name>.azurewebsites.net
To use your own domain (e.g. app.contoso.com), you need to:
- Add DNS records at your domain registrar or DNS zone:
- A record — points your domain to the App Service IP
- CNAME record — maps
www.yourdomain.com→<app-name>.azurewebsites.net - TXT record — proves domain ownership to Azure
- Add the custom domain in the App Service → Custom domains blade
- Create an SSL binding to enable HTTPS
Domain provider options
- App Service Domain — purchase a domain directly through Azure (auto-configures DNS)
- External DNS provider — manage your own DNS records manually
SSL/TLS Encryption
Once a custom domain is configured, add an SSL binding to enable HTTPS:
Certificate options
| Certificate Type | Description | Cost |
|---|---|---|
| App Service Managed Certificate | Azure-managed, auto-renews, free | Free |
| Self-signed certificate | For testing only; not trusted by browsers | Free |
| CA-issued certificate | Purchased from a certificate authority | Paid |
| Key Vault certificate | Imported from Azure Key Vault | Varies |
SSL binding types
- SNI-based SSL — uses Server Name Indication; multiple certs on one IP (recommended)
- IP-based SSL — one cert per dedicated IP; older browsers
Note: App Service Managed Certificate provisioning can take up to 10 minutes.
Network Settings
Inbound traffic configuration
Control who can reach your App Service:
| Option | Description |
|---|---|
| Enable from all networks | Fully public (default) |
| Restrict to IPs / VNets | Allow-list specific sources using firewall rules |
| Disable public access | Block all internet traffic; private endpoint required |
Private Endpoint — creates a network interface inside your VNet with a private IP, making the app accessible only from within that VNet (or peered VNets/on-prem).
Outbound traffic configuration
| Option | Description |
|---|---|
| VNet Integration | Routes outbound traffic through a subnet in a VNet |
| Hybrid Connection | Connects outbound to on-premises resources via relay service |
VNet Integration (outbound)
- Adds a service endpoint inside a subnet of your VNet
- App Service can now reach private IPs in that VNet
- Works with VNet-peered resources and ExpressRoute (same-region only)
- For cross-region, a VNet gateway is required (ExpressRoute not supported with gateway-required integration)
Hybrid Connections (outbound to on-premises)
- Uses an Azure Relay service to bridge App Service and on-prem
- Both sides connect outbound to the relay (no inbound firewall rules needed)
- Useful for: connecting to on-prem databases without opening inbound ports
Outbound IP addresses
- The App Service has a set of outbound IP addresses used when connecting to external services
- These can be dynamic — stopping/starting the app can change them
- If your on-prem firewall allows-lists these IPs, watch for IP changes after app restarts
- A dedicated outbound IP can be allocated for a stable address
Exam tip: Stopping and restarting an App Service can change its outbound IP addresses.
Key Exam Takeaways
- Custom domain requires: DNS records (A/CNAME + TXT for verification) + SSL binding
- App Service Managed Certificate is free and auto-renews
- SNI SSL = multiple certs per IP (recommended); IP-based SSL = one cert per IP
- Inbound: firewall rules restrict who can reach the app; private endpoints for VNet-only access
- Outbound: VNet integration places a service endpoint in a subnet; hybrid connections use relay
- Disabling public access blocks all traffic except private endpoint connections
- Outbound IPs can change on app restart — use dedicated IPs if downstream systems need stable IPs
Quick Revision Cheat Sheet
Custom domain: DNS (A + CNAME + TXT) → add in Azure → SSL binding
SSL: Managed (free, auto) | CA cert | Key Vault cert | Self-signed
Inbound security: public firewall rules → private endpoint → disable public
Outbound to VNet: VNet integration (service endpoint in subnet)
Outbound to on-prem: hybrid connection (relay, both sides outbound)
ExpressRoute with VNet integration: same region only (no gateway)