DEV Community

Cover image for Azure Container Apps, Bicep, bring your own certificates and custom domains
John Reilly
John Reilly

Posted on • Edited on • Originally published at johnnyreilly.com

Azure Container Apps, Bicep, bring your own certificates and custom domains

Azure Container Apps supports custom domains via certificates. If you're looking to make use of the managed certificates in Azure Container Apps using Bicep, then you might want to take a look at this post on the topic.

This post will instead look at how we can use the "bring your own certificates" approach in Azure Container Apps using Bicep. Well, as much as that is possible; there appear to be limitations in what can be achieved with Bicep at the time of writing.

title image reading

This post assumes you already have an Azure Container App in place and you want to bind a custom domain to it. If you don't have an Azure Container App in place, then you might want to take a look at this post on the topic.

Make a certificate

So the first thing we need to do is make a certificate. This is pretty simple, and in my case amounts to the following command:

sudo openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout poorclaresarundel.org.key -out poorclaresarundel.org.crt -subj "/CN=poorclaresarundel.org" \
  -addext "subjectAltName=DNS:poorclaresarundel.org,DNS:www.poorclaresarundel.org,IP:8.8.8.8"
sudo chmod +r poorclaresarundel.org.key
cat poorclaresarundel.org.crt poorclaresarundel.org.key > poorclaresarundel.org.pem
Enter fullscreen mode Exit fullscreen mode

This makes a certificate with a 10 year expiry date. You'll note the 8.8.8.8 listed as the IP address above. You should replace that with the static IP address of your Container Apps Environment. You can find that in the Azure Portal. It's listed on the "Overview" tab of your Azure Container App. It's the "Static IP" value:

screenshot of the Azure Portal with the static IP address highlighted

You'll also note the poorclaresarundel.org listed as the domain name above. You should replace that with your domain name. You'll need to do that in two places; in the openssl command and in the subjectAltName value. More on the significance of that particular domain name later.

Container apps environment and certificates

Now, we'll crack open our Azure Container App's environment in the Azure Portal and navigate to the "Certificates" tab. Then we need to click on the "Bring your own certificates (.pfx)" tab, and we are presented with a screen like this:

Screenshot of Azure Portal on the certificates screen

Note the "Add certificate" button. Use that to upload your certificate - in my case that's the poorclaresarundel.org.pem file. You'll need to provide the password for the certificate too. Oh and you'll be asked for a friendly name. We'll remember the friendly name you use - we'll need it later.

This is a real world example; my aunt's website. My aunt is Poor Clare nun and, for years, I've done an average job of maintaining her convent's website. If I was her, I'd be wishing her nephew was a designer rather than an engineer. Or maybe an engineer with more of a sense what looks good. But here we are - she's a nun and so consequently much too nice to say that. Anyway, I digress. The point is, I've got a certificate for her website and I'm going to use it here.

screenshot of uploaded certificate in the Azure Portal

Bicep for the custom domain

I haven't managed to work out how one would handle the certificate upload in Bicep (and I rather suspect it is not supported). However, I have worked out how to handle the certificate in the Azure Container App once it's been uploaded with regards to custom domains. Find the Microsoft.App/containerApps resource in your Bicep and add a customDomains property to it. It should look something like this:

resource environment 'Microsoft.App/managedEnvironments@2022-10-01' = {
  name: environmentName
  // ...
}

resource webServiceContainerApp 'Microsoft.App/containerApps@2022-10-01' = {
  name: webServiceContainerAppName
  tags: tags
  location: location
  properties: {
    // ...
    configuration: {
      // ...
      ingress: {
        // ...
        customDomains: [
          {
              name: 'www.poorclaresarundel.org'
              // note the friendly name of "poorclaresarundel.org" forms the last segment of the id below
              certificateId: '${environment.id}/certificates/poorclaresarundel.org'
              bindingType: 'SniEnabled'
          }
        ]
      }
    }
    // ...
  }
}
Enter fullscreen mode Exit fullscreen mode

Conclusion

With the above post you should be able to deploy an Azure Container App with a custom domain and provide your own certificate, which is then referenced using Bicep. If you'd like to see the full Bicep file, then you can find it here.

Attributions

Certificate icon in title image created by Freepik - Flaticon

Top comments (0)