I'm in the process of setting up a Static Web App behind an Application Gateway using a Private Endpoint Link on a private VNet. I already have an external DNS set up that points to the Gateway via an A record. My understanding is that I need to create a Private DNS Zone for the Static Web App, which functions like a hosts file, allowing me to set mappings (e.g., google.com -> mysite.com) that are only resolved within the VNets linked to it. However, when I attempt to set a custom domain for the Static Web App, I'm prompted to verify with a TXT record. This leaves me puzzled because: 1. Why do I need verification for a private configuration? 2. Shouldn't the verification be on the Application Gateway instead, since that's the public-facing service? Have I misunderstood the role of private DNS zones?
2 Answers
It seems there's a bit of confusion here. The domain verification you're referring to is necessary for using a custom domain with your Static Web App instead of the default one. What you have to do for the private DNS zone is just set up the private endpoint for your web app and link it with the zone—no verification is needed for that. However, once you create a private endpoint, it disables public access to your app.
The verification you're encountering isn't directly related to the private DNS zone but rather the web app itself. The Static Web App manages TLS and therefore requires you to authenticate ownership of the custom domain for which it will issue a legitimate SSL certificate. This verification is essential to ensure that you own the domain you are trying to use with the web app, even though you're operating in a private DNS context.
Related Questions
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads