question

SUYOG-2915 avatar image
0 Votes"
SUYOG-2915 asked JunYe-9754 answered

Restrict public access to Static Website in storage account and allow only through Azure CDN

We are planning to host angular SPA serverless apps in azure storage account using static website enabled and configured to azure CDN endpoint.

From security perspective just wanted to hide public access to primary endpoint of storage account from public access and only user can access through azure CDN.

Any solution from it.

azure-storage-accountsazure-cdnazure-static-web-apps
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You don't need a virtual network/private endpoint as others have suggested. You can just set an IP firewall on the storage account to only allow traffic from the CDN:

  1. Use "az cdn edge-node list" to get the IPs of the PoP servers for your particular provider (Verizon, Akamai, etc.). For example if you have jq installed you can get the IPs for Premium CDN/Verizon this way: az cdn edge-node list | jq -cre '.[] | select(.id == "/providers/Microsoft.Cdn/edgenodes/Premium_Verizon") | .ipAddressGroups[0].ipv4Addresses | map("(.baseIpAddress)/(.prefixLength)")'

  2. Add that list of IPs to your storage account -> Networking -> IP allowlist. You can add these IPs manually but there are a dozens of them - you can also inject the IPs via ARM template in a CI/CD pipeline.




0 Votes 0 ·
AndriyBilous avatar image
0 Votes"
AndriyBilous answered

Hello @SUYOG-2915
You can serve static content directly from a storage container named

Static website option in Storage Account opens it for anonymous access. To protect the files in your storage account, you can set the access of your storage containers from public to private. If you want to grant limited access to private storage containers, you can use the Shared Access Signature (SAS) feature of your Azure storage account.

To configure CDN with Static website please see an article that describes how to use SAS in conjunction with Azure CDN
https://docs.microsoft.com/en-us/azure/cdn/cdn-sas-storage-support

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sumarigo-MSFT avatar image
0 Votes"
Sumarigo-MSFT answered Sumarigo-MSFT edited

@SUYOG-2915 Welcome to Microsoft Q&A Forum, Thank you for posting your query!

There is similar thread discussion in the SO forum, Please refer to the suggestion and let me know if you face any issue or needed more information

Additional information: Disabling public access on a storage account does not affect static websites that are hosted in that storage account. Additionally, you can modify the public access level of the $web container, but this has no impact on the primary static website endpoint because these files are served through anonymous access requests. That means public (read-only) access to all files. So this is not an option currently when using static website hosting in Azure Storage

You cannot use private endpoint as a CDN origin. It needs to be public, You may refer to this article and let me know if you have any questions

Also refer: Sometimes you need to check what access a user has to a set of Azure resources. You check their access by listing their assignments. A quick way to check the access for a single user is to use the Check access feature on the Access control (IAM) page.

Cannot add Custom Domain to CDN with Azure Storage Static Website This suggestion provides some information for your scenario

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.


Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JunYe-9754 avatar image
0 Votes"
JunYe-9754 answered

This is for my own reference in the future.

Found this article:
https://gunnarpeipman.com/access-restricted-blob-storage-from-azure-cdn/

TLDR:
When you enable firewall on storage account, add: 147.243.0.0/16 to exception, which appears to be CDN's public IP range.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.