Azure Front Door needs to do name checking on custom Azure web app SSL certificates
If you have an Azure web app with a custom domain certificate, that has been working fine for a long time, then you move that wep app behind an Azure Front Door front end, the SSL certificate presently bound to the web app breaks Front Door. Front Door "add a front end" should check that the name used by the HTTPS probe to determine back end health matches the name on the custom domain certificate at that moment.
We also encountered the same issue. Basically health checks on Azure Frontdoor doesn't support SNI. In scenario where backend hosts multiple virtual hosts, default SSL certificate is returned to the health check of Frontdoor. Frontdoor doesn't trust the default certificate and health probe is marked as failed. No communication is forwarded to this host.
My idea is to use "Backend host name" field for health checks. This will solve the issue.
To circumvent this issue we have to create default FQDN for our server with valid certificate, to be able to use Frontdoor.
I see it as a big drawback of Frontdoor service, complicating migration of multi-host webservers behind Frontdoor.