How can we improve Azure Networking?

Add Custom Apex (Naked) Domains as front end hosts for Azure Front Door Service

Azure Front Door Service is currently missing the ability to onboard Apex (Naked) Domains e.g.

It runs on Anycast IP addresses that seem globally consistent for the Frontend host (something.azurefd,net)

So why not allow me to onboard an Apex domain to the service by creating DNS A and / or AAAA records at the custom zone apex that point to the allocated Anycast IPs? (CNAMEs are not supported at the Zone Apex)

If the answer is that the Anycast IPs aren't allocated in perpetuity please fix that first then add this feature!

192 votes
Sign in
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Matthew Clements shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


Sign in
Sign in with: Microsoft
Signed in as (Sign out)
  • Serge commented  ·   ·  Flag as inappropriate

    The Feature is there, but there are now sever problems with the front door managed certificate rollout process. It does not work with Apex domains at all, and has lots of problems with all other Domains.

  • Videsh commented  ·   ·  Flag as inappropriate

    +1. Apex domains need to be implemented to have a complete solution.

  • Ola Johansson commented  ·   ·  Flag as inappropriate

    I need this as well! Will hold of until it's supported, do not want to do a major URL refactoring. www is also ugly ;)

  • Mark McLaughlin commented  ·   ·  Flag as inappropriate

    I'm surprised that this functionality was not prioritized. It sounds like my choices are a) redirect apex domain requests to a subdomain or b) not use the Azure Front Door service.

  • sandor commented  ·   ·  Flag as inappropriate

    This is badly needed. It annoys me to have to setup an azure web app or use cloudflare for that.
    I'm currently using Azure Dns, so I'm perfectly happy with that.

  • James Brantly commented  ·   ·  Flag as inappropriate

    It's possible to add a naked domain to Front Door by using the resolved anycast IP (I've got one running right now). However, when I posed this question to support they indicated that the IPs are NOT static and could change, so there's definitely a risk.

    Support for this is apparently coming soon but my understanding is that it will require the use of Azure DNS. I'm guessing they'll just automatically reconfigure your DNS if the IP does change.

  • Chad Kittel commented  ·   ·  Flag as inappropriate

    Following this one. Even if the DNS validation check would be able to be overridden/skipped, then for thosr that want to, we could use services that support ALIAS for apex domains.

Feedback and Knowledge Base