Blob SAS with IP-range restrictions and custom domain

Question

Hi there,

I'm trying to generate SAS for blobs on a storage account with a custom domain configured (Azure CDN and cache every unique url). I then use the .net sdk to set the ip range restriction of the SAS using

var sasBuilder = new BlobSasBuilder()
{
    ..
    IPRange = new SasIPRange(clientIPAdress)
}

The IP range restriction works as expected when using the full storage account url (*.blob.core.windows.net/) but not when using the custom domain url.
The SAS works as expected with the custom domain without IPRange restrictions.

Thinking its the Azure CDN service that doesnt forward/change headers to the blob service? Any way around this?

Best,
Douglas

Answer 1

@Douglas Isaksson
For help using Azure CDN with SAS token please refer to the documentation here. SAS parameters are not visible to Azure CDN, Azure CDN cannot change its delivery behavior based on them. The defined parameter restrictions apply only on requests that Azure CDN makes to the origin server, not for requests from the client to Azure CDN.

If you are using Azure CDN from Verizon, you can set the Allowed IP Addresses parameter to the ranges defined in Azure CDN from Verizon Edge Server IP Ranges. If you are using Azure CDN from Akamai, you cannot set the IP ranges parameter because the IP addresses are not static.

Hope this helps. Let us know if you have further questions or issues and we will do our best to assist.

-------------------------------

Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Missed that section it seems. My bad. That explains it, cheers!