How to use Root Domains with Azure Front Door

Azure Front Door is a great global load balancing service for web applications. What I like about it is that you can easily integrate CDN and WAF features within the service if these are required now or in future. Even if you are hosting in a single region currently, you may decide that you want to scale out or add DR sites in other regions at a later date. Therefore in most cases, I tend to recommend Azure Front Door over Azure Application Gateway for modern web applications. There is one issue however that keeps coming up with this service.

As Azure Front Door is a global service it is front ended by a FQDN and not by a single public IP address. This is similar to the Traffic Manager service. This means that in order to use the service that you will need to create a CNAME record on your public DNS provider to direct your traffic to (prefix) for Azure Front Door.

The Problem

This is not an issue for subdomains like but this presents a problem for root (or apex) domains as DNS standards don’t allow mapping root domains using CNAME records. Therefore If I want my root domain of to resolve to my web application I have an issue as I can’t simply create a CNAME record for this root domain.

There are a few solutions to this. If your DNS provider supports CNAME flattening or DNS chasing mechanisms then this can be achieved for the CNAME record through recursive DNS resolutions, usually this is achieved by using DNS alias records. Azure DNS supports this exact scenario in fact so if moving your public DNS zone to Azure is an option then this is probably the simplest solution.

In many cases however, the existing DNS provider will not support this and your organisation or customer may not be willing to change their DNS provider for any one of a number of reasons so this post will explore another option.

Existing Setup

Firstly, let’s run through an example of a current hosting setup with Azure Front Door. I am hosting my application on an Azure App Service and I have the custom domain added and an SSL certificated installed and bound.

In my Azure Front Door configuration I have the same custom domain added and managed by an Azure Front Door SSL certificate. My configuration routes the frontend through to my app service and I also have a HTTP to HTTPS redirection rule in there as best practice.

In my DNS provider (I recommend for testing purposes, it’s very basic but free), I have a CNAME record mapping to my Azure Front Door frontend which is

Then a quick test in my favourite web browser and we can see everything is working for the www subdomain, all nice and secured with SSL.

This is fine but nowadays how many websites only use the www prefix? When was the last time you went to use Google and typed instead of just simply This brings us back to our dilemma of mapping the root/apex domain.

Azure Front Door does support root domains, so as mentioned if you can get around the DNS issue of mapping your root domain via a CNAME record then you are good to go but let’s focus on another solution here.

URL Redirection

The next best approach would be to redirect your root domain to a subdomain. In my example, I have shown that I have a web application hosted with a custom domain of but I want to be able to access it using both and also my root domain

There are many ways that you can redirect a URL but ultimately you need a service of some kind that can do this for you. I looked at a few options here and settled on using an Azure Function to do this.

So effectively, we are going to host an Azure Function to act as a web proxy and redirect the root domain URL to

I found an excellent video from Mark Godfrey here that demonstrates this exact process so I want to give credit to Mark for this solution, please give his video a watch below for a full step by step process.

The steps involved are as follows:

  1. Deploy the Azure Function app. If you are hosting on an Azure App Service already then you can use the same App Service Plan to host the function app, but note it will share the same compute resources as your web application.

    You can instead use a serverless consumption based plan type as it includes 1 million requests and 400,000 GB seconds of free consumption per month. I also recommend enabling Application Insights at this step so you can monitor the function app later on.

  2. Once the service is deployed, we need to create our function so within the function app, go to Functions and click Create and then add a new HTTP trigger template as below.
  1. Now click on Code + Test and put in the code for your function, the below sample is taken from Mark Godfrey’s video. You would just need to modify the URL search string where I have alanktest and then the redirected URL where I have
using static System.Environment;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Net;
public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, TraceWriter log)
    string OriginUrl = req.Headers.GetValues("DISGUISED-HOST").FirstOrDefault(); 
    log.Info("RequestURI org: " + OriginUrl);
    //create response
    var response = req.CreateResponse(HttpStatusCode.MovedPermanently);
           response.Headers.Location = new Uri("");
       return req.CreateResponse(HttpStatusCode.InternalServerError);
    return response;

Make sure you click Save. Then click on the Get function URL button and copy the URL to your clipboard, you will need this for the next step.

  1. Now, we set up the proxy. Click on Proxies within the function app and then click Add. Set this up as below and paste in the Backend URL from your clipboard in the previous step. Click the Create button to complete the process.
  1. We will need to add our root domain as a custom domain to the function app. Click on Custom domains within the function app and then add and verify your root domain. I recommend you also add your SSL certificate and bind it here otherwise you will encounter browser warnings if any users try to access your web application using the root domain over HTTPS.
  1. You now need to grab the IP address of the app service for the function app, we will use this for the A record of our root domain. You can see this IP address in the example below.

Point and Test

Now that this is all set up we just need to create or modify the A record for our root domain with our DNS provider and point this at the public IP address we took from the previous step.

In my example, this will direct all traffic for to the IP address of my function app which will intercept the traffic via the HTTP trigger and then redirect it to and by doing so send it to the Azure Front Door service which will then route through to my backend app service.

When testing this you can verify the function app is being invoked by looking at the monitor logs within the function as shown below.

Secure Solution

As mentioned, there are many ways that URL redirection can be achieved. You could host a URL redirection function directly within your targeted web application if it has a public IP address, but I prefer to lock this down and only allow access via the Azure Front Door service.

In my example, the backend application is hosted on an Azure App Service which does have a public IP address so I add a network access restriction to the AzureFrontDoor.Backend service tag so that the web application can only be accessed through Azure Front Door and not directly via its public IP address.

I also like the concept of using a serverless solution as there is no maintenance required. The free monthly usage that Azure provides may mean that this solution may not cost you anything depending on the amount of traffic going to your web application via the root domain and triggering the function.

One thought on “How to use Root Domains with Azure Front Door

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.