Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Wildcard domains allow Azure Front Door to receive traffic for any subdomain of a top-level domain. An example wildcard domain is *.contoso.com.
By using wildcard domains, you can simplify the configuration of your Azure Front Door profile. You don't need to modify the configuration to add or specify each subdomain separately. For example, you can define the routing for customer1.contoso.com, customer2.contoso.com, and customerN.contoso.com by using the same route and adding the wildcard domain *.contoso.com.
Wildcard domains give you several advantages, including:
- You don't need to onboard each subdomain in your Azure Front Door profile. For example, suppose you create new subdomains every customer, and route all customers' requests to a single origin group. Whenever you add a new customer, Azure Front Door understands how to route traffic to your origin group even though the subdomain isn't explicitly configured.
- You don't need to generate a new Transport Layer Security (TLS) certificate, or manage any subdomain-specific HTTPS settings, to bind a certificate for each subdomain.
- You can use a single web application firewall (WAF) policy for all of your subdomains.
Commonly, wildcard domains are used to support software as a service (SaaS) solutions, and other multitenant applications. When you build these application types, you need to give special consideration to how you route traffic to your origin servers. For more information, see Use Azure Front Door in a multitenant solution.
Note
When you use Azure DNS to manage your domain's DNS records, you need to configure wildcard domains by using the Azure Resource Manager API, Bicep, PowerShell, and the Azure CLI. Support for adding and managing Azure DNS wildcard domains in the Azure portal isn't available.
Add a wildcard domain and certificate binding
You can add a wildcard domain following steps similar for subdomains. For more information about adding a subdomain to Azure Front Door, see Configure a custom domain on Azure Front Door using the Azure portal.
Note
- Azure DNS supports wildcard records.
- You can't purge the Azure Front Door cache for a wildcard domain. You must specify a subdomain when purging the cache.
For accepting HTTPS traffic on your wildcard domain, you must enable HTTPS on the wildcard domain. The certificate binding for a wildcard domain requires a wildcard certificate. That is, the subject name of the certificate should also have the wildcard domain.
Note
- If you want to add a subdomain of the wildcard domain that’s already validated in the Azure Front Door Standard or Premium profile, the domain validation is automatically approved.
- If a wildcard domain is validated and already added to one profile, a single-level subdomain can still be added to another profile as long as it is also validated.
Define a subdomain explicitly
You can add as many single-level subdomains of the wildcard as you would like. For example, for the wildcard domain *.contoso.com, you can also add subdomains to your Azure Front Door profile for image.contoso.com, cart.contoso.com, and so forth. The configuration that you explicitly specify for the subdomain takes precedence over the configuration of the wildcard domain.
You might need to explicitly add subdomains in these situations:
- You need to define a different route for a subdomain than the rest of the domains (from the wildcard domain). For example, your customers might use subdomains like
customer1.contoso.com,customer2.contoso.com, and so forth, and these subdomains should all be routed to your main application servers. However, you might also want to routeimages.contoso.comto an Azure Storage blob container. - You need to use a different WAF policy for a specific subdomain.
Subdomains like www.image.contoso.com aren't a single-level subdomain of *.contoso.com.
WAF policies
WAF policies can be attached to wildcard domains, similar to other domains. A different WAF policy can be applied to a subdomain of a wildcard domain. Subdomains automatically inherit the WAF policy from the wildcard domain if there's no explicit WAF policy associated to the subdomain. However, if the subdomain is added to a different profile from the wildcard domain profile, the subdomain can't inherit the WAF policy associated with the wildcard domain.
If you don't want a WAF policy to run for a subdomain, you can create an empty WAF policy with no managed or custom rulesets.
Routes
When configuring a route, you can select a wildcard domain as an origin. You can also have different route behavior for wildcard domains and subdomains. Azure Front Door chooses the most specific match for the domain across different routes. For more information, see How requests are matched to a routing rule.
Important
You must have matching path patterns across your routes, or your clients will see failures.
For example, suppose you have two routing rule:
- Route 1 (
*.foo.com/*mapped to origin group A) - Route 2 (
bar.foo.com/somePath/*mapped to origin group B) If a request arrives forbar.foo.com/anotherPath/*, Azure Front Door selects route 2 based on a more specific domain match, only to find no matching path patterns across the routes.
Next steps
- Learn how to create an Azure Front Door profile.
- Learn how to add a custom domain to your Azure Front Door.
- Learn how to enable HTTPS on a custom domain.