Engineering Project Delivery
Engineering/Engineering Principles/7 Security And Availability/Secure Infrastructure/Custom Domains/

Custom Domain Standard for Deployed Environments · CLOUD-02

Rationale

To ensure consistency, security, and operational scalability across environments, all deployed services must adhere to a standardised approach to custom domain configuration. This standard provides:

  • Predictable and brand-aligned access URLs
  • Improved compatibility with authentication mechanisms such as OAuth
  • Automated, secure HTTPS handling
  • Easier domain management and DNS configuration
  • Reduced operational overhead through convention and automation

All externally accessible services must use a custom domain · CLOUD-02.1 · MUST · DEV

All deployed environments must expose services via custom domains. Default or auto-generated platform URLs (e.g. app-name.azurewebsites.net, xyz.cloudfront.net) must not be used for direct access in any environment.

This improves:

  • URL readability and user trust
  • Compatibility with enterprise SSO and OAuth
  • Portability across hosting providers

Secure all custom domains using managed SSL/TLS certificates · CLOUD-02.2 · MUST · DEV

Custom domains must be protected with automatically managed SSL/TLS certificates offered by the hosting or CDN provider. These certificates should:

  • Support automatic renewal
  • Be provisioned through DNS or HTTP challenge
  • Avoid manual upload workflows unless explicitly justified

This ensures continuous HTTPS support without administrative overhead or security risks.

EXCEPTION This does not apply where SSL/TLS certificates are managed by the client.

Follow a standardised domain naming convention · CLOUD-02.3 · MUST · DEV

All custom domains must follow a consistent structure to clearly identify:

  • The service name
  • The tenant/customer (if multi-tenant)
  • Optional: The deployed environment

Recommended pattern

..

Use centralised DNS management · CLOUD-02.4 · SHOULD · DEV

DNS zones should be managed via a centralised, version-controlled configuration using Infrastructure as Code (e.g. Terraform, Pulumi, Bicep).

Benefits include:

  • Reviewed, auditable changes
  • Avoidance of duplicated or conflicting records
  • Reproducibility across multiple environments

Automate domain provisioning and validation · CLOUD-02.5 · COULD · DEV

Where feasible, automate the provisioning of domains, validation of SSL certificates, and creation of DNS records as part of the deployment process.

This supports:

  • Faster, safer deployments
  • Reduced manual configuration errors
  • Stronger alignment with GitOps and infrastructure-as-code workflows

Previous

pull request policies

Next

naming cloud resources