|
| 1 | +--- |
| 2 | +title: Configure a custom domain for Azure Web PubSub Service |
| 3 | +titleSuffix: Azure Web PubSub Service |
| 4 | +description: How to configure a custom domain for Azure Web PubSub Service |
| 5 | +author: ArchangelSDY |
| 6 | +ms.service: azure-web-pubsub |
| 7 | +ms.topic: article |
| 8 | +ms.date: 07/07/2022 |
| 9 | +ms.author: dayshen |
| 10 | +--- |
| 11 | + |
| 12 | +# Configure a custom domain for Azure Web PubSub Service |
| 13 | + |
| 14 | +In addition to the default domain provided Azure Web PubSub Service, you can also add custom domains. |
| 15 | + |
| 16 | +## Prerequisites |
| 17 | + |
| 18 | +* Resource must be Premium tier |
| 19 | +* A custom certificate matching custom domain is stored in Azure Key Vault |
| 20 | + |
| 21 | +## Add a custom certificate |
| 22 | + |
| 23 | +Before you can add a custom domain, you need add a matching custom certificate first. A custom certificate is a sub resource of your Azure Web PubSub Service. It references a certificate in your Azure Key Vault. For security and compliance reasons, Azure Web PubSub Service doesn't permanently store your certificate. Instead it fetches it from your Key Vault on the fly and keeps it in memory. |
| 24 | + |
| 25 | +### Step 1: Grant your Azure Web PubSub Service resource access to Key Vault |
| 26 | + |
| 27 | +Azure Web PubSub Service uses Managed Identity to access your Key Vault. In order to authorize, it needs to be granted permissions. |
| 28 | + |
| 29 | +1. In the Azure portal, go to your Azure Web PubSub Service resource. |
| 30 | +1. In the menu pane, select **Identity**. |
| 31 | +1. Turn on either **System assigned** or **User assigned** identity. Click **Save**. |
| 32 | + |
| 33 | + :::image type="content" alt-text="Screenshot of enabling managed identity." source="media\howto-custom-domain\portal-identity.png" ::: |
| 34 | + |
| 35 | +1. Go to your Key Vault resource. |
| 36 | +1. In the menu pane, select **Access configuration**. Click **Go to access policies**. |
| 37 | +1. Click **Create**. Select **Secret Get** permission and **Certificate Get** permission. Click **Next**. |
| 38 | + |
| 39 | + :::image type="content" alt-text="Screenshot of permissions selection in Key Vault." source="media\howto-custom-domain\portal-key-vault-permissions.png" ::: |
| 40 | + |
| 41 | +1. Search for the Azure Web PubSub Service resource name or the user assigned identity name. Click **Next**. |
| 42 | + |
| 43 | + :::image type="content" alt-text="Screenshot of principal selection in Key Vault." source="media\howto-custom-domain\portal-key-vault-principal.png" ::: |
| 44 | + |
| 45 | +1. Skip **Application (optional)**. Click **Next**. |
| 46 | +1. In **Review + create**, click **Create**. |
| 47 | + |
| 48 | +### Step 2: Create a custom certificate |
| 49 | + |
| 50 | +1. In the Azure portal, go to your Azure Web PubSub Service resource. |
| 51 | +1. In the menu pane, select **Custom domain**. |
| 52 | +1. Under **Custom certificate**, click **Add**. |
| 53 | + |
| 54 | + :::image type="content" alt-text="Screenshot of custom certificate management." source="media\howto-custom-domain\portal-custom-certificate-management.png" ::: |
| 55 | + |
| 56 | +1. Fill in a name for the custom certificate. |
| 57 | +1. Click **Select from your Key Vault** to choose a Key Vault certificate. After selection the following **Key Vault Base URI**, **Key Vault Secret Name** should be automatically filled. Alternatively you can also fill in these fields manually. |
| 58 | +1. Optionally, you can specify a **Key Vault Secret Version** if you want to pin the certificate to a specific version. |
| 59 | +1. Click **Add**. |
| 60 | + |
| 61 | + :::image type="content" alt-text="Screenshot of adding a custom certificate." source="media\howto-custom-domain\portal-custom-certificate-add.png" ::: |
| 62 | + |
| 63 | +Azure Web PubSub Service will then fetch the certificate and validate its content. If everything is good, the **Provisioning State** will be **Succeeded**. |
| 64 | + |
| 65 | + :::image type="content" alt-text="Screenshot of an added custom certificate." source="media\howto-custom-domain\portal-custom-certificate-added.png" ::: |
| 66 | + |
| 67 | +## Create a custom domain CNAME |
| 68 | + |
| 69 | +To validate the ownership of your custom domain, you need to create a CNAME record for the custom domain and point it to the default domain of Azure Web PubSub Service. |
| 70 | + |
| 71 | +For example, if your default domain is `contoso.webpubsub.azure.com`, and your custom domain is `contoso.example.com`, you need to create a CNAME record on `example.com` like: |
| 72 | + |
| 73 | +``` |
| 74 | +contoso.example.com. 0 IN CNAME contoso.webpubsub.azure.com. |
| 75 | +``` |
| 76 | + |
| 77 | +If you're using Azure DNS Zone, see [manage DNS records](../dns/dns-operations-recordsets-portal.md) for how to add a CNAME record. |
| 78 | + |
| 79 | + :::image type="content" alt-text="Screenshot of adding a CNAME record in Azure DNS Zone." source="media\howto-custom-domain\portal-dns-cname.png" ::: |
| 80 | + |
| 81 | +If you're using other DNS providers, follow provider's guide to create a CNAME record. |
| 82 | + |
| 83 | +## Add a custom domain |
| 84 | + |
| 85 | +A custom domain is another sub resource of your Azure Web PubSub Service. It contains all configurations for a custom domain. |
| 86 | + |
| 87 | +1. In the Azure portal, go to your Azure Web PubSub Service resource. |
| 88 | +1. In the menu pane, select **Custom domain**. |
| 89 | +1. Under **Custom domain**, click **Add**. |
| 90 | + |
| 91 | + :::image type="content" alt-text="Screenshot of custom domain management." source="media\howto-custom-domain\portal-custom-domain-management.png" ::: |
| 92 | + |
| 93 | +1. Fill in a name for the custom domain. It's the sub resource name. |
| 94 | +1. Fill in the domain name. It's the full domain name of your custom domain, for example, `contoso.com`. |
| 95 | +1. Select a custom certificate that applies to this custom domain. |
| 96 | +1. Click **Add**. |
| 97 | + |
| 98 | + :::image type="content" alt-text="Screenshot of adding a custom domain." source="media\howto-custom-domain\portal-custom-domain-add.png" ::: |
| 99 | + |
| 100 | +## Verify a custom domain |
| 101 | + |
| 102 | +You can now access your Azure Web PubSub Service endpoint via the custom domain. To verify it, you can access the health API. |
| 103 | + |
| 104 | +Here's an example using cURL: |
| 105 | + |
| 106 | +#### [PowerShell](#tab/azure-powershell) |
| 107 | + |
| 108 | +```powershell |
| 109 | +PS C:\> curl.exe -v https://contoso.example.com/api/health |
| 110 | +... |
| 111 | +> GET /api/health HTTP/1.1 |
| 112 | +> Host: contoso.example.com |
| 113 | +
|
| 114 | +< HTTP/1.1 200 OK |
| 115 | +... |
| 116 | +PS C:\> |
| 117 | +``` |
| 118 | + |
| 119 | +#### [Bash](#tab/azure-bash) |
| 120 | + |
| 121 | +```bash |
| 122 | +$ curl -vvv https://contoso.example.com/api/health |
| 123 | +... |
| 124 | +* SSL certificate verify ok. |
| 125 | +... |
| 126 | +> GET /api/health HTTP/2 |
| 127 | +> Host: contoso.example.com |
| 128 | +... |
| 129 | +< HTTP/2 200 |
| 130 | +... |
| 131 | +``` |
| 132 | + |
| 133 | +----- |
| 134 | + |
| 135 | +It should return `200` status code without any certificate error. |
| 136 | + |
| 137 | +## Next steps |
| 138 | + |
| 139 | ++ [How to enable managed identity for Azure Web PubSub Service](howto-use-managed-identity.md) |
| 140 | ++ [Get started with Key Vault certificates](../key-vault/certificates/certificate-scenarios.md) |
| 141 | ++ [What is Azure DNS](../dns/dns-overview.md) |
0 commit comments