Azure CDN with Azure Blob Storage - Optimizing and Securing File Access

dev-thakku 0 Reputation points
2024-01-23T06:58:38.9933333+00:00

Hi,
We are using the Azure Blob Storage to store the files, and we are using the Azure CDN in front of this to make the file access faster. As per our setup, we are generating the URLs to the file with new SAS tokens every time. And configured to Cache every unique URL in Caching rules, so as my understanding the request will reach the origin server (i.e. Azure Blob Storage) for every request (Correct me if I'm wrong).

Question:
If every request still reaches the origin server, then what benefits does Azure CDN provides in this scenario?

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
578 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,436 questions
Azure Content Delivery Network
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Silvia Wibowo 3,011 Reputation points Microsoft Employee
    2024-01-24T02:21:40.52+00:00

    Hi @dev-thakku , I understand you have Azure CDN in front of Azure Blob Storage, and you use new SAS tokens each time the client accesses through CDN.

    There are 3 options for cache behaviour in Azure CDN:

    • Cache every unique URL. Azure CDN will cache the file, but subsequent request will not get from cache, because new SAS token is used, so the URL is different.
    • Bypass caching for query strings. Azure CDN will not cache the file. All requests pass through.
    • Ignore query strings. Azure CDN will cache the file, and subsequent request will get from cache, until cache expires. The risk: if SAS is not valid, user still get the file; and if the file changes in Storage Blob, user still get the old file from CDN cache. This is not recommended, as it defeats the purpose of using SAS token.

    My opinion: in this case, Azure CDN only provides the nearest network entry point (from user), then from there, it uses Microsoft backbone to get to Azure region where the Storage Blob is. You will not get any caching benefit.

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    0 comments
  2. ChaitanyaNaykodi-MSFT 23,031 Reputation points Microsoft Employee
    2024-01-24T03:45:51.1566667+00:00

    @dev-thakku

    Thank you for reaching out.I understand you are using Azure CDN to access the blob storage and are generating the URLs to the file with new SAS tokens every time and cache setting is configured to Cache every unique URL.

    As correctly identified by Silvia above, you will not get the caching benefit in this case. Although I do not think you will also get the benefit of using CDN to send the data to nearest entry point because even without using CDN for storage, primary endpoints always use the Microsoft global network. The global BGP Anycast announcement ensures ingress traffic enters Microsoft network closest to the user. When a user from Singapore accesses Azure resources hosted in Chicago, the traffic enters the Microsoft global network at the Singapore edge POP. The traffic then travels on the Microsoft network to the service hosted in Chicago. More details can be found here.

    As documented here Azure CDN can also accelerate dynamic content, which can't get cached, by using various network optimizations using CDN POPs. For example, route optimization to bypass Border Gateway Protocol (BGP).

    If it helps. I am assuming you are generating the URLs to the file with new SAS tokens every time in order to enhance security so that no one on the internet can access the File without the newly created SAS token. Based on this assumption I think using Azure FrontDoor instead of Azure CDN will be beneficial for your use case.

    I think using Azure Front Door Premium to access the Storage via Private link as described here will help in enhancing the security of the Blob Storage. In this configuration Front Door securely connects to the Azure Storage account by using Private Link. The storage account is configured to deny direct access from the internet, and to only allow requests through the private endpoint connection used by Front Door. This configuration ensures that every request gets processed by Front Door, and avoids exposing the contents of your storage account directly to the internet.

    WIth AFD you can also use Web Application Firewall to enhance security of your web application Additional references https://learn.microsoft.com/en-us/azure/frontdoor/private-link

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.