Impact of July 2025 Managed Certificate Changes on Traffic Manager Integration

Question

Impact of July 2025 Managed Certificate Changes on Traffic Manager Integration

Hiten Samalia 20

My Azure Function App / Web App relies on Traffic Manager (priority-based) to route HTTP traffic across different regions.

According to the Microsoft documentation, we will no longer be able to create certificates for *.trafficmanager.net domains. Until now, this was possible.

If I follow the recommended steps in the guide—creating a custom domain, adding the CNAME to the Traffic Manager domain, and adding that domain in the App Service Custom Domains section (with a certificate generated by App Service Managed Certificates)—my App Service shows as Degraded in the Traffic Manager profile.

How can I prevent this?

In the Traffic Manager documentation, it states:

"Since the App Service app is now integrated with a Traffic Manager endpoint, you should see the Traffic Manager domain name under CNAME configuration. Select it and click Add custom domain."

If I do this, a managed certificate is created automatically (which should not be the case as mentioned in App Service Managed Certificate (ASMC) changes – July 28, 2025), which is the expected behavior. However, if I skip this step, the app shows as Degraded in the Traffic Manager profile, and traffic is not routed.

Am I doing something wrong or interpreting the documentation incorrectly?

Hiten Samalia 20 Reputation points

2025-08-12T07:57:40.6566667+00:00

Update: We are unable to create a certificate for *.trafficmanager.net domain(s) and are also unable to bind it to the App Service. As a result, the Traffic Manager is currently showing Degraded in the health check. This raises the question of how it is expected to route traffic using priority-based routing.

Additionally, the documentation related to adding a Traffic Manager to an App Service states the following:

"If your web app uses SSL (settings > certificates), you can enable SSL on the trafficmanager.net domain by adding a binding for trafficmanager.net under settings > custom domains for the web app."
Hiten Samalia 20 Reputation points

2025-08-12T12:54:24.69+00:00

Update: I made some changes to the Traffic Manager profile configuration (specifically the Protocol and Port), and it is now working for me. However, I am still unsure how to handle the binding of the Traffic Manager’s custom domain in the App Service, as we are unable to create a certificate for it.

Should I leave it as is, or are changes required? At present, the Monitor Status of the Traffic Manager profile is working as expected.

Your answer

Hiten Samalia 20 Reputation points

2025-08-12T07:57:40.6566667+00:00

Update: We are unable to create a certificate for *.trafficmanager.net domain(s) and are also unable to bind it to the App Service. As a result, the Traffic Manager is currently showing Degraded in the health check. This raises the question of how it is expected to route traffic using priority-based routing.

Additionally, the documentation related to adding a Traffic Manager to an App Service states the following:

"If your web app uses SSL (settings > certificates), you can enable SSL on the trafficmanager.net domain by adding a binding for trafficmanager.net under settings > custom domains for the web app."
Hiten Samalia 20 Reputation points

2025-08-12T12:54:24.69+00:00

Update: I made some changes to the Traffic Manager profile configuration (specifically the Protocol and Port), and it is now working for me. However, I am still unsure how to handle the binding of the Traffic Manager’s custom domain in the App Service, as we are unable to create a certificate for it.

Should I leave it as is, or are changes required? At present, the Monitor Status of the Traffic Manager profile is working as expected.

Share via

Impact of July 2025 Managed Certificate Changes on Traffic Manager Integration

Your answer