1. Home
  2. /Uncategorized
  3. /[Azure] Setting custom domain with indirect verification via ARM

[Azure] Setting custom domain with indirect verification via ARM

February 20, 2019 / Jasper Siegmund / 0

I ran across this problem trying to link a custom domain to an Azure storage account. Custom domains can be used to use your own domain instead of having <storageaccountname>.blob.core.windows.net as the default domain. For using a custom domain, the domain needs to be validated to ensure that you really own the domain you’re planning to use. There’s two ways of validating: 

  1. Azure checks for the existence of a CNAME record on the specific domain that points to the domain name of the storage account (as mentioned above).
  2. Azure checks for the existence of a CNAME record on asverify.<specificdomain> that points to the domain name of the storage account, but also prefixed with asverify.

Using the asverify subdomain is called “indirect validation”. This is used when you don’t point traffic directly to the storage account, but for instance require to have an appliance in between that then forwards traffic. In the Azure portal, this is reflected in the following checkbox:

 

Ok, so all fine and well. But what if you need to use the “indirect CNAME validation” don’t want to use the portal, but deploy stuff via ARM templates instead? You setup a CNAME record that points “asverify.mystorageaccount.specificdomain.com” to “mystorageaccount.blob.core.windows.net”. And then you deploy your ARM template. I tried that but kept running into the following error:

The custom domain name could not be verified. CNAME mapping from mystorageaccount.specificdomain.com to any of mystorageaccount.blob.core.windows.net,mystorageaccount.z6.web.core.windows.net does not exist.

This basically says: you don’t have a CNAME mapping for mystorageaccount.specificdomain.com, which is true as we prefixed it with asverify and the actual CNAME is pointing to my routing appliance. It turns out the fix for this is very simple, but hard to find. I found it by inspecting the API call that the portal makes when you set the indirect validation checkbox. Change your ARM template to the following:

"customDomain": {
    "name": "mystorageaccount.specificdomain.com",
    "useSubDomainName": true
}

The “useSubDomainName” flag will trigger the use of the indirect CNAME validation, as described here.

Jasper Siegmund

Related posts

[Azure] Regain admin access to your Azure AD tenant custom domain

I ran across this problem trying to link a custom domain to an Azure storage account. Custom domains can be used to use your own domain instead of having <storageaccountname>.blob.core.windows.net as the default domain. For using a custom domain, the domain needs to be validated to ensure that you really own the domain you're planning to use. There's two ways of validating: 

[SP2013] Getting a list of site collections using search

I ran across this problem trying to link a custom domain to an Azure storage account. Custom domains can be used to use your own domain instead of having <storageaccountname>.blob.core.windows.net as the default domain. For using a custom domain, the domain needs to be validated to ensure that you really own the domain you're planning to use. There's two ways of validating: 

Latest posts

[DevOps] Should you migrate onto YAML release pipelines?

I ran across this problem trying to link a custom domain to an Azure storage account. Custom domains can be used to use your own domain instead of having <storageaccountname>.blob.core.windows.net as the default domain. For using a custom domain, the domain needs to be validated to ensure that you really own the domain you're planning to use. There's two ways of validating: 

Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Search