az containerapp show --name <container-app> --resource-group <resource-group>Show the container app, including ingress and generated FQDN details.
A custom hostname assigned to a Container App ingress endpoint.
Source: Microsoft Learn - Custom domain names and certificates in Azure Container Apps Reviewed 2026-06-04
Container Apps custom domain is the hostname you map to a container app so users reach app.contoso.com instead of the default azurecontainerapps.io address. The app needs ingress enabled, DNS has to prove ownership and route traffic, and the hostname must be associated with a TLS certificate. In production, this setting is more than branding. It is where DNS, certificates, Container Apps ingress, managed environment ownership, revisions, and customer cutover plans meet. A healthy container can still look offline when the domain, certificate, or DNS record is wrong.
Container Apps custom domain matters because users and partner systems depend on stable hostnames, not Azure-generated default names. During a launch, migration, or incident, the custom domain is often the difference between a working container and a service people cannot reach. Misconfigured DNS sends traffic to the wrong place. Missing verification blocks the binding. Expired or mismatched certificates create browser and client failures. Weak ownership records can create takeover risk when domains are reused. Treating the domain as operational configuration gives teams clearer release gates, rollback plans, support evidence, and certificate renewal ownership. It also keeps architecture diagrams honest about how customers actually enter the workload.
Technically, a Container Apps custom domain is stored on the container app ingress configuration and validated with DNS ownership records. External apps usually use CNAME or A records plus TXT verification, while private environments may involve internal DNS and controlled resolution. The binding also needs a certificate, either a managed certificate or an uploaded certificate available to the managed environment. Operators inspect the app FQDN, custom hostname, certificate name, ingress mode, target port, revision routing, and environment scope together because a correct host binding still fails if DNS, TLS, or ingress points somewhere else.
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Contoso Market moved its checkout API from App Service to Azure Container Apps, but customers and mobile apps still called checkout.contoso.com. The platform team needed a controlled cutover that proved DNS ownership, bound the hostname, attached a valid certificate, and preserved rollback to the old endpoint while the new container app revisions warmed up.
The team enabled external ingress on the checkout container app, recorded the default app FQDN and verification ID, and created DNS records in the corporate zone before the change window. They uploaded the approved certificate to the Container Apps environment, bound checkout.contoso.com to the app, and verified the binding with CLI output, portal screenshots, and synthetic tests from the public hostname. Traffic was shifted only after the DNS record, certificate chain, target port, and revision split were confirmed. The rollback notes kept the old endpoint and DNS target available until post-release monitoring showed clean transactions for two hours.
A Container Apps custom domain should be treated as release-critical ingress configuration. The hostname, DNS record, certificate, revision routing, and rollback target all need evidence before a customer-facing cutover.
Northwind Health hosted a patient notification portal in Azure Container Apps with portal.northwindhealth.example as the public entry point. The application team owned the container image, but a central platform team owned DNS and certificates. Audit reviewers could not tell who renewed the certificate, who approved the hostname binding, or whether the default FQDN was still being used by partner scripts.
The platform team documented the domain binding in the production runbook with the resource group, container app name, managed environment, certificate name, expiration date, and DNS zone owner. They replaced partner references to the default app FQDN with the approved custom hostname and added a release check that fails when hostname evidence is missing. CLI checks listed the custom domain, certificate binding, and recent activity log updates. The security team kept certificate renewal reminders in the same change calendar as other public endpoints, so the Container Apps domain was no longer an exception hidden inside application deployment notes.
Custom domains on Container Apps cross team boundaries. Naming, certificate, DNS, app ingress, and partner usage must be documented together or each team will assume another team owns the risk.
Fabrikam Logistics received partner events at webhook.fabrikam.example, which pointed to a Container Apps workload that scaled on HTTP requests. After a rushed test environment cleanup, the production CNAME was changed to the wrong container app FQDN. The container app was healthy, but partners saw intermittent failures, and the incident bridge initially chased image, replica, and scale-rule symptoms instead of hostname routing.
Operators compared the custom domain binding on the production container app with DNS records, certificate details, ingress settings, and revision traffic. The evidence showed that the hostname binding was valid, but the CNAME pointed to a test app FQDN. DNS was restored to the production target, and synthetic probes were switched from the generated FQDN to webhook.fabrikam.example so future tests used the partner path. The team added a weekly CLI inventory of hostnames and certificate bindings, plus a change approval step requiring DNS owner confirmation before any environment cleanup.
When Container Apps is healthy but clients fail, inspect the custom domain path before redeploying. DNS drift, certificate mismatch, or hostname binding mistakes can imitate application outages.
Use Azure CLI for Container Apps custom domain when you need repeatable hostname, ingress, DNS, and certificate evidence instead of relying on one portal view during release or incident work.
az containerapp show --name <container-app> --resource-group <resource-group>Show the container app, including ingress and generated FQDN details.
az containerapp hostname list --name <container-app> --resource-group <resource-group>List custom hostnames bound to the container app.
az containerapp env certificate list --name <environment-name> --resource-group <resource-group>List certificates available in the Container Apps environment.
az containerapp hostname add --hostname <hostname> --name <container-app> --resource-group <resource-group>Add a custom hostname binding to a container app after ownership is ready.
az containerapp ssl upload --hostname <hostname> --name <container-app> --resource-group <resource-group> --certificate-file <certificate-file> --certificate-password <password>Upload and bind a certificate for a hostname when using an uploaded certificate workflow.