Azure Front Door Update: Required CDN upgrade from Classic Issues
Issue to do with the deprecation of Azure Front Door CDN Classic
As discussed in previous posts, this blog site is authored using Markdown and built as a Jekyll site. It then is sent to an Azure Blob Storage and manifests as a static web site. An Azure Front Door CDN then is ued to make it available securely (https) delivered using a custom domain. The custom domain is provided by a third party.
An Azure Front Door CDN Classic has been used for a number of years but that was recently deprecated and so an upgrade to Standard or Premium was required.
Initial Query
My Jekyll blog site https://davidjones.sportronics.com.au is built locally and copied to Azure Blob Storage, in $web. The site as copied is https://djzblogaccname137.z26.web.core.windows.net/ I then use an external custom domain certificate to present it as https://davidjones.sportronics.com.au
I’m getting 2 messages/warnings:
- Managed certificates expire April 14, 2026. Migrate classic profiles to AFD Standard and Premium or switch to BYOC to avoid service disruption. Profiles not updated may be auto‑migrated starting April 10, 2026 (best effort). To opt out, set feature flag Microsoft.Cdn/DoNotAutoMigrateClassicManagedCertificatesProfiles by April 9, 2026. Learn more
- Azure CDN Standard from Microsoft (classic) will be retired on September 30, 2027. Migrate to AFD Standard and Premium to avoid any service disruption and benefit from all new and enhanced capabilities. Learn more
The first I should have done a while ago but I guess I can’t avoid now! The second can be delayed but I guess I need to fix both now.
I have a Microsoft CDN (classic) CDN It is valid for migration: CDN (classic) profile is compatible for migration.
I have an Endpoint:
Endpoint hostname:
https://DJzBlogCDNEnpointWeb2.azureedge.net
Origin hostname:
https://www.sportronics.com.au
Which is configured as
Custom domain HTTPS is ON
Certificate management type is CDN managed
- TLS 1.2
So am I good to go with the CDN upgrade from Classic to Standard?? And if I do the migration thus: Will both issues be resolved? Can I continue to use my (external) custom domain without much effort? Do I have to do anything where my custom domain is registered?
First Response
Yes if your Azure CDN Standard from Microsoft (classic) profile shows “valid for migration”, you are generally good to proceed with the built-in migration to Azure Front Door Standard/Premium.
In your case, migrating now is the right move because it should address both warnings:
the managed certificate warning, since existing classic managed certs are only valid until April 14, 2026
the classic CDN retirement warning, since Azure CDN Standard from Microsoft (classic) retires on September 30, 2027. (Microsoft Learn)
For a static Jekyll site on Blob Storage, AFD Standard is usually sufficient unless you specifically need Premium-only features.
You should be able to keep using your external custom domain (davidjones.sportronics.com.au), but expect at least some DNS work at your DNS provider:
Azure Front Door uses a TXT record for domain validation
and a CNAME record to point your hostname to the new Front Door endpoint. (Microsoft Learn)
So the answer is:
Yes, you can migrate
Yes, that should resolve both warnings
Yes, you can keep your custom domain
Yes, you will probably need to update DNS records, but not do anything major beyond validation/CNAME cutover. (Microsoft Learn)
My advice: use the built-in migration flow, review the generated AFD profile carefully, then update the custom-domain DNS to the new AFD hostname once migration completes.
Other Initial Response
Recommendation is to move to AFD Standard/Premium SKUs.
During migration to Standard/Premium, we add the old Azure CDN domain, which the actual application domain was pointing to, as a custom domain on Standard/Premium. So, there is no need for customers to modify the DNS entry on their side. The cert rotation is automatic as well (based on HTTP path-based domain control validation for Cert renewals only).
Query 2
I may not be completely out of the woods yet:
DNS is OK but Certificate will need an update soon*
Certificate Details tab:
AFD managed certificate will be auto-rotate in 45 days ahead of expiry, with exceptions for CNAMEs pointing to other DNS resources. BYOC certificate must be updated manually.Learn more
HTTPS
Enable HTTPS protocol for a custom domain that's associated with Front Door to ensure that sensitive data is delivered securely via SSL/TLS encryption when sent across the Internet.Learn more
Certificate type
AFD managed (Recommended)
Bring Your Own Certificate (BYOC)
So do I need to do an update of the CNAME config with my domain name provider?
Response
It autorotates in some time (usually less than 24 hrs) post the migration. I can see that the cert on the blog URL (DjsBlog: Index) has been renewed and has an expiry date of Oct 9, 2026, now.
Later
So it did an update 😊
Conclusion: Later that month
So I did have to update the CNAME record:
Later in the month after doing the update as above (the site did work earlier in the month after that update), I did now have had to do an update to the CNAME record with my DNS provider after all:
Summary of What Was Fixed
Problem: Custom domain https://davidjones.sportronics.com.au not working after Azure CDN Classic→Standard upgrade
Root Cause: DNS CNAME was pointing to the old Classic CDN endpoint instead of the new Front Door endpoint
Solution: Updated the CNAME record in WebCentral (the DNS provider) from:
- EndPoint.azureedge.net (old)
- To: EndPoint-ckekfbhfgnbvg5h2.z01.azurefd.net (new)
The site is now be fully operational with HTTPS through Azure Front Door! 😊
Acknowledgments
Thanks to the fellow MVPs who helped me with this; and WindSurf AI.
| Topic | Subtopic | |
| < Prev: | Checkers-Draughts Game | A Kludge to fix an error |
| This Category Links | ||
| Category: | Web Sites Index: | Web Sites |
| < Prev: | Jekyll-Markdown | Devops Pipeline Timely Update |
