Skip to main content

1.6 DNS and TLS

Outcome

All required DNS records and TLS certificates are in place so traffic flows correctly:

  • admin.rcm.medsuite.com → platform admin UI (apps/rcm-app admin variant or shared SWA)
  • *.rcm.medsuite.com → tenant UIs (one subdomain per tenant)
  • api.rcm.medsuite.com → backend gateway (apps/rcm-core)
  • edi.medsuite.com → EDI app
  • admin-docs.millinmedical.app, docs.millinmedical.app, edi-docs.millinmedical.app → doc sites

Prerequisites

  • 1.5 First platform admin complete.
  • Access to the DNS provider for medsuite.com (Azure DNS, Cloudflare, GoDaddy, etc.).

Topology

Steps

  1. Provision a wildcard certificate

    Two options:

    • Azure-managed cert (recommended for SWA): each Static Web App can be issued a managed cert per custom domain — no manual cert handling. Wildcards are not supported here, so each tenant subdomain needs its own cert.
    • Bring-your-own wildcard: a *.rcm.medsuite.com cert from your CA, uploaded to Azure Front Door. Use this if you want one cert covering all tenant subdomains.

    Most installations use Front Door + a wildcard cert because tenant subdomains are provisioned dynamically.

  2. Add the canonical CNAME / A records

    In your DNS provider:

    HostnameTypeTarget
    api.rcm.medsuite.comCNAME<container-app-name>.azurecontainerapps.io
    edi.medsuite.comCNAME<edi-container-app>.azurecontainerapps.io
    admin.rcm.medsuite.comCNAME<admin-swa>.azurestaticapps.net
    *.rcm.medsuite.comCNAMEFront Door endpoint
    admin-docs.millinmedical.appCNAME<docs-admin-swa>.azurestaticapps.net
    docs.millinmedical.appCNAME<docs-tenant-swa>.azurestaticapps.net
    edi-docs.millinmedical.appCNAME<docs-edi-swa>.azurestaticapps.net

  3. Bind custom domains to Static Web Apps

    for swa in swa-rcm-admin-docs-prod swa-rcm-docs-prod swa-rcm-edi-docs-prod; do
      az staticwebapp hostname set \
        --resource-group rg-rcm-prod-eastus2 \
        --name "$swa" \
        --hostname "$(echo $swa | sed -e 's/swa-rcm-//' -e 's/-prod$//').medsuite.com"
    done

  4. Configure Front Door routing for *.rcm.medsuite.com

    The wildcard route inspects the Host header and forwards to:

    • api.rcm.* → backend container app
    • *.rcm.* (any other) → tenant SWA bundle (the same apps/rcm-app build serves all tenants; the app reads window.location.host to pick the tenant slug).
    az afd route create \
      --resource-group rg-rcm-prod-eastus2 \
      --profile-name fd-rcm-prod \
      --endpoint-name rcm-prod \
      --route-name tenant-wildcard \
      --custom-domains "*.rcm.medsuite.com" \
      --origin-group og-rcm-app \
      --supported-protocols Https \
      --link-to-default-domain Disabled \
      --https-redirect Enabled

  5. Validate certificates

    for h in admin.rcm api edi admin-docs docs edi-docs; do
      echo | openssl s_client -connect "$h.medsuite.com:443" -servername "$h.medsuite.com" 2>/dev/null \
        | openssl x509 -noout -subject -enddate
    done

    Each line should show a non-expired cert with the right subject CN/SAN.

Validation

CheckExpected
dig admin.rcm.medsuite.comResolves to SWA hostname
dig api.rcm.medsuite.comResolves to Container App hostname
dig +short '*.rcm.medsuite.com'Resolves to Front Door
curl -fsSL https://admin.rcm.medsuite.comReturns the SPA login page
curl -fsSL https://admin-docs.millinmedical.appReturns this docs site

Troubleshooting

SymptomLikely causeFix
Cert error in browserCustom domain still validatingWait up to 30 min after binding; check az staticwebapp hostname show.
*.rcm resolves but returns 404Front Door route missing or origin not addedRe-check step 4.
api.rcm returns 502Container app probe failingCheck az containerapp logs show for the backend.

Next

1.7 — Smoke tests