In the context of the Azure Administrator Associate exam, managing App Service involves configuring how users reach your application (DNS) and how the application communicates with other networks.
**Custom DNS:**
By default, an App Service is assigned a generic `*.azurewebsites.net` URL. To utiliz…In the context of the Azure Administrator Associate exam, managing App Service involves configuring how users reach your application (DNS) and how the application communicates with other networks.
**Custom DNS:**
By default, an App Service is assigned a generic `*.azurewebsites.net` URL. To utilize a branded domain (e.g., `contoso.com`), administrators must map DNS records. A **CNAME record** is used for subdomains (like `www`) pointing to the app's default hostname, while an **A record** is used for root domains pointing to the app's public IP address. Azure requires a specific TXT record to verify domain ownership. Once configured, SSL/TLS certificates are bound to the custom domain to ensure encrypted HTTPS communication.
**Networking:**
Networking controls isolate traffic and enable connectivity to protected resources:
1. **Inbound Security:** **Access Restrictions** allow administrators to define allow/deny lists based on IP addresses. For enhanced security, **Private Endpoints** provide the app with a private IP address from an Azure Virtual Network (VNet), allowing access only from within that network and eliminating public internet exposure.
2. **Outbound Connectivity:** **VNet Integration** allows the web app to access resources located inside an Azure VNet (such as an SQL database or VM) while maintaining public availability. Alternatively, **Hybrid Connections** enable access to on-premises resources via a relay agent without requiring inbound firewall ports to be opened.
Mastering Azure App Service: Custom DNS and Networking for AZ-104
Introduction Azure App Service is a Platform as a Service (PaaS) offering that creates web applications, REST APIs, and mobile backends. While the default deployment provides a generic URL and public internet access, real-world enterprise scenarios require branding via Custom DNS and security via strictly controlled Networking capabilities. Understanding how to configure these is a critical component of the AZ-104 certification.
Why is it Important? In a production environment, businesses cannot use the default `*.azurewebsites.net` domain for customer-facing applications; they require a proprietary domain name (e.g., `www.contoso.com`) for branding and trust. Furthermore, security compliance often mandates that apps must communicate securely with backend databases (like Azure SQL) over private networks rather than the public internet. Mastering these concepts allows an administrator to secure data flow and establish professional web identities.
What is App Service DNS and Networking? Custom DNS allows you to map a domain name you own to your Azure App Service. Networking in App Service refers to the features that control traffic flow into the app (Inbound) and out of the app (Outbound), including integration with Azure Virtual Networks (vNets), private endpoints, and access restrictions.
How it Works: Custom DNS To map a custom domain, you must own the domain and have access to the DNS records editor at your domain registrar. There are two main record types used: 1. CNAME Record: Maps a subdomain (like `www`) directly to the App Service default domain (`contoso.azurewebsites.net`). This is the preferred method. 2. A Record: Maps the root domain (like `contoso.com`) to the static public IP address of the App Service.
Domain Verification: Azure requires proof of ownership before binding a domain. If you want to verify ownership without pointing traffic to the app yet (pre-warming), you must create a TXT record using the `asuid.{subdomain}` convention (e.g., `asuid.www`).
How it Works: Networking App Service networking is split into Inbound and Outbound features:
1. Inbound Traffic (Traffic coming to the App): App Service creates a public endpoint by default. To secure it: Access Restrictions: Allow/Deny rules based on IP addresses or Service Tags. Private Endpoints: Creates a private network interface (NIC) in your VNet. The app becomes accessible only via a private IP from within that VNet. This disables public internet access to the app.
2. Outbound Traffic (Traffic leaving the App): Used when your app needs to talk to a database or VM inside a VNet: VNet Integration: Connects the App Service to a subnet in a VNet. This enables the app to access resources in that VNet (and peered VNets). It requires a delegated subnet. Hybrid Connections: Allows the app to access resources on-premises or in other networks without opening firewall ports, using a relay agent.
Exam Tips: Answering Questions on App Service custom DNS and networking When facing AZ-104 scenario questions, look for these keywords to select the right answer:
1. Domain Ownership Verification: If a question asks how to verify a domain without sending traffic to the app (zero downtime), the answer is almost always to create a TXT record with the value generated by Azure (often starting with `asuid`). 2. Root vs. Subdomain: If mapping a root domain (e.g., `contoso.com`), you generally need an A Record. If mapping a subdomain (e.g., `app.contoso.com`), use a CNAME. 3. App Service Plan Tiers: Remember that Custom Domains require at least the Basic tier. VNet Integration and Private Endpoints usually require Standard or Premium tiers. Free/Shared tiers do not support these features. 4. Accessing Private Resources: If the scenario asks for the App Service to access an Azure SQL Database locked inside a VNet, select VNet Integration. 5. Private Ingress: If the scenario requires complete isolation from the public internet so only internal staff can access the app, choose Private Endpoints. 6. Legacy/On-Prem Access: If the question mentions accessing an on-premises SQL server over port 1433 without a VPN, look for Hybrid Connections.