Problem
Container Apps ingress is directly public on \ ech.hub.ms\ / \ ech.xebia.ms\ with no WAF, bot mitigation, or rate limiting. For a well-used public site this creates two risks:
- Cost spike: a crawler or L7 flood can exhaust the Consumption quota and trigger autoscale costs before we notice (budget alert fires after the fact)
- No edge protection: no OWASP rule set, no bot score, no DDoS absorption layer
Proposed solution
Place Cloudflare free tier in front of both domains. This is the best cost/security ratio for a solo-maintained public site.
How it works
- Point \ ech.hub.ms\ and \ ech.xebia.ms\ CNAME records to Cloudflare (update GoDaddy DNS to use Cloudflare nameservers, or add a CNAME-flattened proxy record)
- Cloudflare terminates TLS at the edge and forwards to the Container Apps origin
- Origin continues to use the existing wildcard certs from Key Vault on the Azure side
- Cloudflare issues its own edge cert automatically (free)
Benefits (all free tier)
- Bot mitigation + browser integrity check
- Basic WAF rules (OWASP top 10 coverage)
- DDoS absorption
- Edge caching for static assets (reduces egress cost and origin load)
- Rate limiting (configurable per path)
- Real-time analytics (firewall events, threat map)
Implementation steps
- Add site to Cloudflare (free plan), get assigned nameservers
- In GoDaddy: delegate \hub.ms\ / \xebia.ms\ to Cloudflare nameservers or use CNAME proxy records if full NS delegation is not possible
- In Cloudflare: set SSL mode to Full (strict) (origin has a valid wildcard cert)
- In Cloudflare: enable Bot Fight Mode and Browser Integrity Check
- In Container Apps: optionally lock ingress to Cloudflare IP ranges only (via a custom ingress IP restriction rule) to prevent origin bypass
- Verify availability tests and ACME cert renewal still work through Cloudflare
Considerations
- ACME DNS challenge uses \�cme.hub.ms\ subdomain (Azure DNS zone). Cloudflare only needs to proxy the apex/\www/\ ech\ subdomains — the ACME zone stays in Azure DNS.
- Wildcard cert renewal (certbot-dns-azure) writes TXT records to \�cme.hub.ms\ and does not need Cloudflare to be involved.
- Sticky sessions for Blazor Server are preserved through Cloudflare (Cloudflare preserves the upstream sticky cookie by default).
Priority
Medium. Current setup is functional but unprotected at the edge. Implement after the KV secrets migration and alerting are stable.
Problem
Container Apps ingress is directly public on \ ech.hub.ms\ / \ ech.xebia.ms\ with no WAF, bot mitigation, or rate limiting. For a well-used public site this creates two risks:
Proposed solution
Place Cloudflare free tier in front of both domains. This is the best cost/security ratio for a solo-maintained public site.
How it works
Benefits (all free tier)
Implementation steps
Considerations
Priority
Medium. Current setup is functional but unprotected at the edge. Implement after the KV secrets migration and alerting are stable.