Forum Discussion
Issue with Custom Domain on APIM and Cloudflare Proxying
Azure APIM requires a valid CNAME record pointing to *.azure-api.net for initial configuration and possibly for periodic revalidation. When the proxied attribute is enabled in Cloudflare, DNS responses return Cloudflare's proxy IPs instead of the expected *.azure-api.net, which causes Azure's validation to fail. This explains why disabling the proxy temporarily resolves the issue, please consider:
- Use Cloudflare Page Rules:
- Create a page rule in Cloudflare to bypass the proxy for apim.ourowndomain.net. This ensures the DNS response returns the expected *.azure-api.net value while still leveraging Cloudflare for other features.
- Set Up an Azure Application Gateway (Reverse Proxy):
- Deploy an Azure Application Gateway in front of your APIM instance. Configure Cloudflare to point to the Application Gateway, which can handle the requests and forward them to APIM. This approach decouples Cloudflare's proxying from direct communication with APIM.
- Keep Proxy Disabled for the CNAME Record:
- If proxying is not essential for your use case, leave the proxied attribute disabled for the CNAME record. This will eliminate revalidation issues.
- Use Custom Hostname Verification via TXT Record:
- Azure APIM allows custom hostname verification using a TXT record instead of relying solely on the CNAME record. Add the required TXT record in Cloudflare to validate ownership, which may bypass the need for revalidating the proxied CNAME.
Hello Kidd_Ip ,
Thank you for your detailed reply!
Since proxying is mandatory for security reasons, the first and third options unfortunately cannot be considered.
I’ll proceed with attempting to set up a custom hostname via a TXT record, even though this approach appears to be mentioned only in the context of Azure's free managed certificate in the official documentation. However, as traffic must flow through Cloudflare, this may introduce challenges.
If this approach proves unsuccessful, I’ll have no choice but to deploy an Azure Application Gateway as a reverse proxy. This would allow me to maintain the required security posture while ensuring compatibility with Cloudflare's proxying.
I’ll keep you updated on the outcome.
Best regards,
Khalil
Kidd_Ip, the 1st option bypasses the proxy, as the 3rd one, so they weren't considered. The 4th one seems to be mentioned in the context of Azure's free managed certificate, as described in the official Microsoft documentation here : https://learn.microsoft.com/en-us/azure/api-management/configure-custom-domain?tabs=custom#dns-configuration
The only viable option is the 2nd one. I tested it and it worked as expected.
Kidd_Ip, I've got some news. I opened a support ticket to Microsoft and they confirmed that the CNAME record validation only happens at custom domain creation 😑
So I guess the issue we faced is not related to the CNAME record being proxied.
Also, unproxying the Cloudflare CNAME record raises another issue as the TLS handshake fails as Cloudflare origin root certificate isn't present on the client machine and we can't install it on all the machines. When CNAME is proxied, Cloudflare uses a free self signed certificate to secure the connection with the API Management service.