Each BizTalk Services deployment gets a unique URL like https://contoso.biztalk.windows.net where <contoso> is a globally unique name input by the user. The https session traffic for this deployment will be encrypted using a SSL .pfx certificate. Since the biztalk.windows.net URLs are HTTPS based either a self-signed certificate or a certificate issued by a Certificate Authority is required. Few customers prefer to use their existing domain-friendly URLs like app.contoso.com instead of biztalk.windows.net URLs. The certificate in this case can either be for a generic sub-domain *.contoso.com or for app.contoso.com. All certificates are uploaded to the BizTalk Services deployment during service creation and the Common Name (CN) in the certificate will be validated against the custom domain URL.
The BizTalk Service deployment with the default domain works as follows:
You can use a CNAME record or an A record in DNS to configure custom domains. Both operations require access to the domain’s DNS controller. Any changes to the records requires the changes to be propagated across all servers.
A CNAME is a canonical name aliasing one domain name for another. For example, you can map app.contoso.com to contoso.biztalk.windows.net. Customers can use app.conotos.com for all operations on the corresponding biztalk.net url. Adding this entry is specific to the DNS server (see example later):
app.contoso.com IN CNAME contoso.biztalk.windows.net
It is assumed that contoso.com is already owned by the user.
CNAME with HTTPS
Incase of HTTPS the client/browser will lookup the address and also the certificate of app.contoso.com. The certificate should be available in contoso.biztalk.windows.net since the HTTPS session is established with the latter and the browser requests are being serviced using app.contoso.com URL. For example, if there is a mismatch with the certificate names, the browser would indicate a warning in the address bar.
A or AAAA record
A record is the address record that maps a DNS domain or a subdomain to its IP Address. While A record is for IP4 addresses, AAAA record is used for IPv6 addresses.
contoso.biztalk.windows.net IN A 220.127.116.11
There are 3 key steps to getting custom domain working correctly – create the domain name and its SSL certificate, use the certificate and name while deploying BizTalk Services and finally mapping the DNS entries so all calls get routed correctly.
Create Custom Domain and its SSL certificate
Configure BizTalk Services
2. Upload the .pfx certificate in the BizTalk Services creation wizard
How this works
The BizTalk Service deployment with custom domain works as follows:
After custom domain has been successfully configured you can check the settings in the following places:
No, currently we support only one domain certificate with a single name for each deployment
You would have to convert certificates with extensions like .pem, .p7b to .pfx. There are tools available to have this conversion as long as the private key of the certificate is available
From the Azure portal, navigate to the dashboard page and you have an option to update the domain certificate of your BizTalk Services deployment
In v1, the domain name with its certificate cannot be changed after the BizTalk Services deployment has been created.