You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/environment/how-to-custom-domain-suffix.md
+3-2Lines changed: 3 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -61,7 +61,7 @@ If you choose to use Azure role-based access control to manage access to your ke
61
61
62
62
### Certificate
63
63
64
-
The certificate for custom domain suffix must be stored in an Azure Key Vault. The certificate must be uploaded in .PFX format and be smaller than 20 kb. Certificates in .PEM format aren't supported at this time. App Service Environment uses the managed identity you selected to get the certificate. The key vault can be accessed publicly or through a [private endpoint](../../private-link/private-endpoint-overview.md) accessible from the subnet that the App Service Environment is deployed to. In the case of public access, you can secure your key vault to only accept traffic from the outbound IP addresses of the App Service Environment.
64
+
The certificate for custom domain suffix must be stored in an Azure Key Vault. The certificate must be uploaded in .PFX format and be smaller than 20 kb. Certificates in .PEM format aren't supported at this time. App Service Environment uses the managed identity you selected to get the certificate. The key vault can be accessed publicly or through a [private endpoint](../../private-link/private-endpoint-overview.md) accessible from the subnet that the App Service Environment is deployed to. To learn how to configure a private endpoint, see [Integrate Key Vault with Azure Private Link](../../key-vault/general/private-link-service.md). In the case of public access, you can secure your key vault to only accept traffic from the outbound IP addresses of the App Service Environment.
65
65
66
66
:::image type="content" source="./media/custom-domain-suffix/key-vault-networking.png" alt-text="Screenshot of a sample networking page for key vault to allow custom domain suffix feature.":::
67
67
@@ -78,6 +78,7 @@ If you rotate your certificate in Azure Key Vault, the App Service Environment p
78
78
1. Select the managed identity you define for your App Service Environment. You can use either a system assigned or user assigned managed identity. You're able to configure your managed identity if you haven't done so already. You can configure the managed identity directly from the custom domain suffix page using the "Add identity" option in the managed identity selection box.
79
79
:::image type="content" source="./media/custom-domain-suffix/managed-identity-selection.png" alt-text="Screenshot of a configuration pane to select and update the managed identity for the App Service Environment.":::
80
80
1. Select the certificate for the custom domain suffix.
81
+
1. If you use a private endpoint to access the key vault, you can't use the default key vault certificate URL the portal interface provides. You must manually enter and use the private link URL, which is in the format *https://<key-vault-name>.privatelink.vaultcore.azure.net/secrets/<certificate-name>*.
81
82
1. Select "Save" at the top of the page. To see the latest configuration updates, refresh the page.
82
83
:::image type="content" source="./media/custom-domain-suffix/custom-domain-suffix-portal-experience.png" alt-text="Screenshot of an overview of the custom domain suffix portal experience.":::
83
84
1. It takes a few minutes for the custom domain suffix configuration to be set. Check the status by selecting "Refresh" at the top of the page. The banner updates with the latest progress. Once complete, the banner will state that the custom domain suffix is configured.
@@ -89,7 +90,7 @@ If you rotate your certificate in Azure Key Vault, the App Service Environment p
89
90
90
91
## Use Azure Resource Manager to configure custom domain suffix
91
92
92
-
To configure a custom domain suffix for your App Service Environment using an Azure Resource Manager template, you need to include the below properties. Ensure that you meet the [prerequisites](#prerequisites) and that your managed identity and certificate are accessible and have the appropriate permissions for the Azure Key Vault.
93
+
To configure a custom domain suffix for your App Service Environment using an Azure Resource Manager template, you need to include the below properties. Ensure that you meet the [prerequisites](#prerequisites) and that your managed identity and certificate are accessible and have the appropriate permissions for the Azure Key Vault. If you use a private endpoint to access the key vault, you can't use the default key vault certificate URL. You must use the private link URL, which is in the format *https://<key-vault-name>.privatelink.vaultcore.azure.net/secrets/<certificate-name>*.
93
94
94
95
You need to configure the managed identity and ensure it exists before assigning it in your template. For more information on managed identities, see the [managed identity overview](../../active-directory/managed-identities-azure-resources/overview.md).
0 commit comments