Saturday, 19 November 2022

Previously

In the previous article I talked about how a custom domain was configured in the App Service.

Map a custom domain to your App Service

Intro & Goal

These days, a website needs to be secured using a digital security certificate. Why would we do that? Well, in short, this means the traffic from and to your website is secured and no one can intercept this communication. An example of communication you don't want anyone to intercept is your username and password if for example they are sniffing the network or doing other malicious stuff.

There are also other advantages of course, like better SEO results if you have a certificate and certainly not the least, giving the user a sense of security.

Adding a TLS certificate
Scale up the App Service Plan
Create the certificate
Add binding
Conclusion

Adding a TLS certificate

So, how does this work in Azure? Well I have already created my website and mapped a custom domain to it in the previous article. By default, the azurewebsites.net domain is secured. But beacuase I wanted a custom domain name, I have to handle this myself.

There are different ways to add a secure certificate.

App Service Documentation

Check Secure connections by adding and managing TLS/SSL certificates in Azure App Service for all the details
I chose to go for the option Create a free App Service managed certificate beacuase I just need to secure the custom domain. One of the advantages of this option is that it's fully managed by the App Service. Of course it has several disadvantages as well, but they don't apply in my simple case.

Ok, let's do this. Crap, there's a very important caveat blocking me from adding the certificate. TLS/SSL settings and certificates are not supported in the D1 Shared Infrastructure App Service Plan, which is the one I have right now. So I have a bit of a problem here. In order to be able to configure the TLS/SSL settings, I need to scale the App Service Plan up to at least the next tier, which is B1 Basic. And here comes the big but. When I do that, the cost will go up from 8€/month to approximately 46€/month. That is a big increase of course, especially for the very simple website I'm running here. And the goal is to keep the cost as low as possible.

For now, I will just go along with it and see if there's another solution later. I need the secured connection.

Scale up the App Service Plan

Changing the tier of the App Service is fairly straight forward.

  1. In the Azure Portal, navigate to your App Service you wish to scale. Since actually it's the App Service Plan we're scaling and not the App Service itself, you can also choose to navigate to the App Service Plan directly.
  2. In the left menu Settings section of either the App Service or App Service Plan you selected, navigate to Scale up (App Service Plan).
  3. In my case, the App Service Plan is set to D1 Shared Infrastructure. When selecting the next tier in the list, B1 Basic, you immediately see the main infrastructure differences between the two.

  4. Click Apply to effectively make the changes.
  5. And voila, the Azure Notifications notifies you that the App Service Plan was updated. This happens rather fast. Imagine having to upgrade a fixed machine in some data center somewhere. I've done it in the past, and believe me, this is waaaaaay easier.

Create the certificate

Ok, now that I fully meet the demands of the prerequisites, I can start creating the certificate.

  1. In the Azure Portal, navigate to the App Service you wish to secure with a certificate.
  2. In the left menu Settings section, navigate to the Certificates (Preview). At the time of writing this article, this was in preview mode. The Azure Documentation refers to the TLS/SSL Settings.
  3. You get an overview of the different certificate options and the navigation menu is focussed on the Managed Certificates. This is the one I'll be using.
  4. Click Add certificate.
  5. Select the Custom Domain to which you wish to add a certificate. In my case this is 'www.random-awesome-memory.be'.
  6. Choose a Certificate Friendly Name and click Create to finish up.

The certificate is created and added to the list below. Since I have only one, this is the only one listed.

We're not out of the woods yet. The certificate is created at the level of the App Service but it's just sitting there, doing nothing.

Add binding

The next step is to add TLS/SSL binding for the certificate.

  1. In the left menu Settings section, navigate to TLS/SSL settings. You'll see that there aren't any bindings present yet.
  2. Click Add TLS/SSL Binding.
  3. Select the Custom Domain you wish to secure with a certificate. In my case that's 'www.random-awesome-memory.be'.
  4. Select the certificate you wish to use. This is the one we just created in the previous step.
  5. And finally, for the TLS/SSL Type, select SNI SSL.
  6. Click Create to finish up. The binding shows up in the list below.

When you navigate to Custom Domains (preview) (yes also in preview at the time of writing), you will see the list Custom Domains for this App Service. The previously added Custom Domain, for me that's 'www.random-awesome-memory.be', now shows a green check and a Secured status, which is great.

Conclusion

Adding a certificate to secure your website is very easy and can be done with a free certificate. The only issue I have here is that I had to select a different pricing tier for my App Service Plan, which boosted the price in the sky. For most companies, this shouldn't be such an issue, 46€/month probably won't make the difference if they have paying services to cover the cost. But for me that's not the case. So I try to keep the cost as low as possible to achieve my goal.

Documentation Reference

Next

In the next article I'm going to discuss how I managed to cut the high cost by ching the App Service Plan to a Linux machine and switching to Docker.

Migrating to docker