[ACA] [323626] Add CLI instructions for custom domain certificates.

v-jaswel · v-jaswel · commit 8d1f690f3c2f · 2024-12-18T08:02:43.000-08:00
diff --git a/articles/container-apps/custom-domains-certificates.md b/articles/container-apps/custom-domains-certificates.md
@@ -6,8 +6,9 @@ author: craigshoemaker
 ms.service: azure-container-apps
 ms.custom: build-2023, ignite-2024
 ms.topic: how-to
-ms.date: 05/28/2024
+ms.date: 12/18/2024
 ms.author: cshoe
+zone_pivot_groups: azure-cli-or-portal
 ---
 
 # Custom domain names and bring your own certificates in Azure Container Apps
@@ -24,6 +25,8 @@ Azure Container Apps allows you to bind one or more custom domains to a containe
 
 ## Add a custom domain and certificate
 
+::: zone pivot="azure-portal"
+
 > [!IMPORTANT]
 > If you are using a new certificate, you must have an existing [SNI domain certificate](https://wikipedia.org/wiki/Server_Name_Indication) file available to upload to Azure.
 
@@ -113,6 +116,164 @@ Azure Container Apps allows you to bind one or more custom domains to a containe
 > [!NOTE]
 > For container apps in internal Container Apps environments, [additional configuration](./networking.md#dns) is required to use custom domains with VNET-scope ingress.
 
+::: zone-end
+
+::: zone pivot="azure-cli"
+
+Container Apps supports apex domains and subdomains. Each domain type requires a different DNS record type and validation method.
+
+| Domain type | Record type | Validation method | Notes |
+|--|--|--|--|
+| Apex domain | A record | HTTP | An apex domain is a domain at the root level of your domain. For example, if your DNS zone is `contoso.com`, then `contoso.com` is the apex domain. |
+| Subdomain | CNAME | CNAME | A subdomain is a domain that is part of another domain. For example, if your DNS zone is `contoso.com`, then `www.contoso.com` is an example of a subdomain that can be configured in the zone. |
+
+1. Log in to Azure with the Azure CLI. 
+
+    ```azurecli
+    az login
+    ```
+
+1. Next, install the Azure Container Apps extension for the CLI.
+
+    ```azurecli
+    az extension add --name containerapp --upgrade
+    ```
+
+1. Set the following environment variables. Replace the `<PLACEHOLDERS>` with your values.
+
+    ```azurecli
+    RESOURCE_GROUP = "<RESOURCE_GROUP>"
+    CONTAINER_APP = "<CONTAINER_APP>"
+    ENVIRONMENT = "<ENVIRONMENT>"
+    TARGET_PORT = "<TARGET_PORT>"
+    DOMAIN_NAME = "<DOMAIN_NAME>"
+    CERTIFICATE_LOWERCASE_NAME = "<CERTIFICATE_LOWERCASE_NAME>"
+    CERTIFICATE_LOCAL_PATH = "<CERTIFICATE_LOCAL_PATH>"
+    CERTIFICATE_PASSWORD = "<CERTIFICATE_PASSWORD>"
+    ```
+
+    - Replace `<CERTIFICATE_LOCAL_PATH>` with the local path of your certificate file.
+    - Replace `<CERTIFICATE_LOWERCASE_NAME>` with a lowercase certificate name that is unique within the environment.
+    - Replace `<TARGET_PORT>` with the port that your container app is listening on.
+
+1. Verify that your container app has HTTP ingress enabled.
+
+    ```azurecli
+    az containerapp ingress show \
+        -n $CONTAINER_APP \
+        -g $RESOURCE_GROUP
+    ```
+
+    If ingress isn't enabled, enable it with these steps:
+
+    ```azurecli
+    az containerapp ingress enable \
+        -n $CONTAINER_APP \
+        -g $RESOURCE_GROUP \
+        --type external \
+        --target-port $TARGET_PORT \
+        --transport auto
+    ```
+
+1. If you're configuring an apex domain, get the IP address of your Container Apps environment.
+
+    ```azurecli
+    az containerapp env show \
+        -n $ENVIRONMENT \
+        -g $RESOURCE_GROUP \
+        -o tsv \
+        --query "properties.staticIp"
+    ```
+
+1. If you're configuring a subdomain, get the automatically generated domain of your container app.
+
+    ```azurecli
+    az containerapp show \
+        -n $CONTAINER_APP \
+        -g $RESOURCE_GROUP \
+        -o tsv \
+        --query "properties.configuration.ingress.fqdn"
+    ```
+
+1. Get the domain verification code.
+
+    ```azurecli
+    az containerapp show \
+        -n $CONTAINER_APP \
+        -g $RESOURCE_GROUP \
+        -o tsv \
+        --query "properties.customDomainVerificationId"
+    ```
+
+1. Using the DNS provider that is hosting your domain, create DNS records based on the record type you selected using the values shown in the *Domain validation* section. The records point the domain to your container app and verify that you own it. The setup depends on whether you are using custom domains with the private endpoint (preview) feature:
+
+    # [General](#tab/general)
+    
+    - If you selected *A record*, create the following DNS records:
+
+        | Record type | Host | Value |
+        |--|--|--|
+        | A | `@` | The IP address of your Container Apps environment. |
+        | TXT | `asuid` | The domain verification code. |
+
+    - If you selected *CNAME*, create the following DNS records:
+
+        | Record type | Host | Value |
+        |--|--|--|
+        | CNAME | The subdomain (for example, `www`) | The generated domain of your container app. |
+        | TXT | `asuid.` followed by the subdomain (for example, `asuid.www`) | The domain verification code. |
+    
+    # [Private endpoint](#tab/private-endpoint)
+
+    When using a private endpoint for your incoming traffic, you need to [create a private DNS zone](how-to-use-private-endpoint.md#configure-the-private-dns-zone).    
+
+    - If you selected *A record*, create the following DNS records:
+
+        | Record type | Host | Value |
+        |--|--|--|
+        | A | `@` | The Private IP of your private endpoint on your container apps environment. |
+        | TXT | `asuid` | The domain verification code. |
+
+    - If you selected *CNAME*, create the following DNS records:
+
+        | Record type | Host | Value |
+        |--|--|--|
+        | CNAME | The subdomain (for example, `www`) | The generated domain of your container app. |
+        | TXT | `asuid.` followed by the subdomain (for example, `asuid.www`) | The domain verification code. |
+
+    ---
+
+1. Upload the certificate to your environment.
+
+    ```azurecli
+    az containerapp env certificate upload \
+        -g $RESOURCE_GROUP \
+        --name $ENVIRONMENT \
+        --certificate-file $CERTIFICATE_LOCAL_PATH \
+        --password $CERTIFICATE_PASSWORD \
+        --certificate-name $CERTIFICATE_LOWERCASE_NAME
+    ```
+
+1. Bind the certificate and domain to your container app.
+
+    ```azurecli
+    az containerapp hostname bind \
+        --hostname $DOMAIN_NAME \
+        -g $RESOURCE_GROUP \
+        -n $CONTAINER_APP \
+        --environment $ENVIRONMENT \
+        --certificate $CERTIFICATE_LOWERCASE_NAME \
+        --validation-method <VALIDATION_METHOD>
+
+    - If you're configuring an *A record*, replace `<VALIDATION_METHOD>` with `HTTP`.
+    - If you're configuring a *CNAME*, replace `<VALIDATION_METHOD>` with `CNAME`.
+
+    It might take several minutes to issue the certificate and add the domain to your container app.
+
+1. Once the operation is complete, navigate to your domain to verify that it's accessible.
+
+::: zone-end
+
 ## Managing certificates
 
 You can manage certificates via the Container Apps environment or through an individual container app.
diff --git a/articles/container-apps/custom-domains-managed-certificates.md b/articles/container-apps/custom-domains-managed-certificates.md
@@ -6,7 +6,7 @@ author: craigshoemaker
 ms.service: azure-container-apps
 ms.custom: build-2023, devx-track-azurecli, ignite-2024
 ms.topic: how-to
-ms.date: 09/19/2024
+ms.date: 12/18/2024
 ms.author: cshoe
 zone_pivot_groups: azure-cli-or-portal
 ---
@@ -110,45 +110,72 @@ Container Apps supports apex domains and subdomains. Each domain type requires a
     az extension add --name containerapp --upgrade
     ```
 
+1. Set the following environment variables. Replace the `<PLACEHOLDERS>` with your values.
+
+    ```azurecli
+    RESOURCE_GROUP = "<RESOURCE_GROUP>"
+    CONTAINER_APP = "<CONTAINER_APP>"
+    ENVIRONMENT = "<ENVIRONMENT>"
+    TARGET_PORT = "<TARGET_PORT>"
+    DOMAIN_NAME = "<DOMAIN_NAME>"
+    CERTIFICATE_LOWERCASE_NAME = "<CERTIFICATE_LOWERCASE_NAME>"
+    CERTIFICATE_LOCAL_PATH = "<CERTIFICATE_LOCAL_PATH>"
+    CERTIFICATE_PASSWORD = "<CERTIFICATE_PASSWORD>"
+    ```
+
+    - Replace `<CERTIFICATE_LOCAL_PATH>` with the local path of your certificate file.
+    - Replace `<CERTIFICATE_LOWERCASE_NAME>` with a lowercase certificate name that is unique within the environment.
+    - Replace `<TARGET_PORT>` with the port that your container app is listening on.
+
 1. Verify that your container app has HTTP ingress enabled.
 
     ```azurecli
-    az containerapp ingress show -n <CONTAINER_APP_NAME> -g <RESOURCE_GROUP_NAME>
+    az containerapp ingress show \
+        -n $CONTAINER_APP \
+        -g $RESOURCE_GROUP
     ```
 
     If ingress isn't enabled, enable it with these steps:
 
     ```azurecli
-    az containerapp ingress enable -n <CONTAINER_APP_NAME> -g <RESOURCE_GROUP_NAME> \
-            --type external --target-port <TARGET_PORT> --transport auto
+    az containerapp ingress enable \
+        -n $CONTAINER_APP \
+        -g $RESOURCE_GROUP \
+        --type external \
+        --target-port $TARGET_PORT \
+        --transport auto
     ```
 
-    Replace `<CONTAINER_APP_NAME>` with the name of your container app, `<RESOURCE_GROUP_NAME>` with the name of the resource group that contains your container app, and `<TARGET_PORT>` with the port that your container app is listening on.
-
 1. If you're configuring an apex domain, get the IP address of your Container Apps environment.
 
     ```azurecli
-    az containerapp env show -n <ENVIRONMENT_NAME> -g <RESOURCE_GROUP_NAME> -o tsv --query "properties.staticIp"
+    az containerapp env show \
+        -n $ENVIRONMENT \
+        -g $RESOURCE_GROUP \
+        -o tsv \
+        --query "properties.staticIp"
     ```
 
-    Replace `<ENVIRONMENT_NAME>` with the name of your environment, and `<RESOURCE_GROUP_NAME>` with the name of the resource group that contains your environment.
-
 1. If you're configuring a subdomain, get the automatically generated domain of your container app.
 
     ```azurecli
-    az containerapp show -n <CONTAINER_APP_NAME> -g <RESOURCE_GROUP_NAME> -o tsv --query "properties.configuration.ingress.fqdn"
+    az containerapp show \
+        -n $CONTAINER_APP \
+        -g $RESOURCE_GROUP \
+        -o tsv \
+        --query "properties.configuration.ingress.fqdn"
     ```
 
-    Replace `<CONTAINER_APP_NAME>` with the name of your container app, and `<RESOURCE_GROUP_NAME>` with the name of the resource group that contains your container app.
-
 1. Get the domain verification code.
 
     ```azurecli
-    az containerapp show -n <CONTAINER_APP_NAME> -g <RESOURCE_GROUP_NAME> -o tsv --query "properties.customDomainVerificationId"
+    az containerapp show \
+        -n $CONTAINER_APP \
+        -g $RESOURCE_GROUP \
+        -o tsv \
+        --query "properties.customDomainVerificationId"
     ```
 
-    Replace `<CONTAINER_APP_NAME>` with the name of your container app, and `<RESOURCE_GROUP_NAME>` with the name of the resource group that contains your container app.
-
 1. Using the DNS provider that is hosting your domain, create DNS records based on the record type you selected using the values shown in the *Domain validation* section. The records point the domain to your container app and verify that you own it. The setup depends on whether you are using custom domains with the private endpoint (preview) feature:
 
     # [General](#tab/general)
@@ -190,19 +217,23 @@ Container Apps supports apex domains and subdomains. Each domain type requires a
 1. Add the domain to your container app.
 
     ```azurecli
-    az containerapp hostname add --hostname <DOMAIN_NAME> -g <RESOURCE_GROUP_NAME> -n <CONTAINER_APP_NAME>
+    az containerapp hostname add \
+        --hostname $DOMAIN_NAME \
+        -g $RESOURCE_GROUP \
+        -n $CONTAINER_APP_NAME
     ```
 
-    Replace `<DOMAIN_NAME>` with the domain name you want to add, `<RESOURCE_GROUP_NAME>` with the name of the resource group that contains your container app, and `<CONTAINER_APP_NAME>` with the name of your container app.
-
 1. Configure the managed certificate and bind the domain to your container app.
 
     ```azurecli
-    az containerapp hostname bind --hostname <DOMAIN_NAME> -g <RESOURCE_GROUP_NAME> -n <CONTAINER_APP_NAME> --environment <ENVIRONMENT_NAME> --validation-method <VALIDATION_METHOD>
+    az containerapp hostname bind \
+        --hostname $DOMAIN_NAME \
+        -g $RESOURCE_GROUP_NAME \
+        -n $CONTAINER_APP_NAME \
+        --environment $ENVIRONMENT_NAME \
+        --validation-method <VALIDATION_METHOD>
     ```
 
-    Replace `<DOMAIN_NAME>` with the domain name you want to add, `<RESOURCE_GROUP_NAME>` with the name of the resource group that contains your container app, `<CONTAINER_APP_NAME>` with the name of your container app, and `<ENVIRONMENT_NAME>` with the name of your environment.
-
     - If you're configuring an *A record*, replace `<VALIDATION_METHOD>` with `HTTP`.
     - If you're configuring a *CNAME*, replace `<VALIDATION_METHOD>` with `CNAME`.
 
