Reserve a public inbound IP for Azure App Service custom domain SSL binding

1
votes

I have an Azure App Service that will have a custom domain and SSL binding in Production. Normally, I would issue the certificate first for the domain, bind to the App Service using an IP-based binding for the given domain, then update DNS entries as required once I know the IP address that Azure has bound.

My client will be issuing the certificate, and they won't do this until they know the exact inbound IP address that will be used for the SSL binding, but I don't believe I can know this IP until I've actually created the binding (which requires the certificate!) so it's a nasty chicken-and-egg scenario.

Is there a way of reserving a static inbound IP address in Azure for this purpose, prior to requiring the certificate? Or would I need to use some sort of gateway in front of the App Service instead, or some other solution I haven't thought of?

1
azureazure-web-app-service

1 Answers

1
votes

Not sure why your client doesn't want to issue the certificate until knowing the exact inbound IP address unless they are trying to have an SSL certificate for the IP address not for the domain name.

If not, to get a reserved or dedicated inbound IP address for the web app, you can easily install and configure an IP-based TLS/SSL certificate at a low cost. Then if the IP address is updated, you just need to update the A record with the new IP address in the DNS provider.

For other choices, you can use either an isolated and dedicated environment for your app service plan or set app service behind an application gateway V2 SKU. See how to Configure App Service with Application Gateway. You can also enable end-to-end TLS by using Application Gateway. Whatever you select one of them, has a higher cost and complicated configuration.