Forum Discussion
Issue with Custom Domain on APIM and Cloudflare Proxying
Hello Kidd_Ip ,
Thank you for your detailed reply!
Since proxying is mandatory for security reasons, the first and third options unfortunately cannot be considered.
I’ll proceed with attempting to set up a custom hostname via a TXT record, even though this approach appears to be mentioned only in the context of Azure's free managed certificate in the official documentation. However, as traffic must flow through Cloudflare, this may introduce challenges.
If this approach proves unsuccessful, I’ll have no choice but to deploy an Azure Application Gateway as a reverse proxy. This would allow me to maintain the required security posture while ensuring compatibility with Cloudflare's proxying.
I’ll keep you updated on the outcome.
Best regards,
Khalil
Kidd_Ip, the 1st option bypasses the proxy, as the 3rd one, so they weren't considered. The 4th one seems to be mentioned in the context of Azure's free managed certificate, as described in the official Microsoft documentation here : https://learn.microsoft.com/en-us/azure/api-management/configure-custom-domain?tabs=custom#dns-configuration
The only viable option is the 2nd one. I tested it and it worked as expected.
- mkg310Mar 27, 2025Copper Contributor
Kidd_Ip, I've got some news. I opened a support ticket to Microsoft and they confirmed that the CNAME record validation only happens at custom domain creation 😑
So I guess the issue we faced is not related to the CNAME record being proxied.
Also, unproxying the Cloudflare CNAME record raises another issue as the TLS handshake fails as Cloudflare origin root certificate isn't present on the client machine and we can't install it on all the machines. When CNAME is proxied, Cloudflare uses a free self signed certificate to secure the connection with the API Management service.