locked
CDN not authorized when firewall in storage account is enabled RRS feed

  • Question

  • Hi all,

        I created CDN (standard Akamai) with and endpoint connected to a standard storage account (blob only). I want to use SAS and set up the CDN  following the option 1 https://docs.microsoft.com/en-us/azure/cdn/cdn-sas-storage-support. I generated SAS token and everything is working good, but if I restrict access to a selected network and I add my IP (allow trusted Microsoft services to access this storage account is also enabled), I cannot access to blobs via CDN but only directly to the storage account.

    https://<mystorageaccount>.blob.core.windows.net/<mycontainer>?restype=container&comp=list&<SAS token> works

    https://<mystorageaccount>.azureedge.net/<mycontainer>?restype=container&&<SAS token> fails with Authentication failure

    Is there a configuration to make to use CND with firewall?

    Thanks,

    Dan


    • Edited by DanVe Tuesday, March 24, 2020 4:10 PM
    Tuesday, March 24, 2020 4:08 PM

Answers

  • Hi, 

    When you get 403, its forbidden or access denied by the Storage Firewall. 

    The reason you get that is because CDN will act as a proxy where the source IP will change from the IP which you have white listed in Storage Firewall. 

    hence you are not able to access when Firewall is enabled. So, you retrieve the POP IPs from here and then whitelist those IP in your storage account to get this working. 

    Regards, 

    Msrini

    Friday, April 3, 2020 7:27 AM

All replies

  • Greetings,

    I have reproduced your scenario and it does work for me allowing SAS with pass-through to blob storage from Azure CDN while the firewall is set to only allow trusted Microsoft serviecs to access the storage account.

    CDN accessing the blob with SAS Token :
    image
    For a quick check,

    1. See the access level on the Blob.
    2. Also check whether you have added any path in the Azure CDN endpoint side configuration. Any changes made to this configuration would take some time to get reflected.

    Regards,
    Subhash

    Thursday, March 26, 2020 6:03 AM
  • Hi,

    I have created an ad hoc scenario and still have the issue.

    • Created a new standard storage account blob only.
    • Added a CDN endpoint connected to this storage.
    • Set global caching rules set "Cache every unique URL"
    • Created a test container. Access level is private.
    • Generated a SAS Token.
    • Restricted access to my IP only (see image)

    This works.

    https://danteststor.blob.core.windows.net/test/test-blob.txt?st=2020-03-26T14%3A24%3A48Z&se=2020-03-26T23%3A00%3A00Z&sp=racwdl&sv=2018-03-28&sr=c&sig=oTjj8BHGOKUh7Lrd8JvRNJj1MHV7DVc9oJLDqow%2BfBo%3D

    This returns "AuthorizationFailed"

    https://dantestcdn.azureedge.net/test/test-blob.txt?st=2020-03-26T14%3A24%3A48Z&se=2020-03-26T23%3A00%3A00Z&sp=racwdl&sv=2018-03-28&sr=c&sig=oTjj8BHGOKUh7Lrd8JvRNJj1MHV7DVc9oJLDqow%2BfBo%3D

    If I remove the remove the firewall above selecting "All networks" it works.

    Am I missing something?

    Thanks,

    Dan

    Thursday, March 26, 2020 3:19 PM
  • Appreciate your patience.

    Could you try purging the endpoint and reenable it. Also, have a quick on the blob access policy.

    image

    Unfortunately, sometimes it will take 24 hours for the images/files to pullup using the Endpoint Hostname. Changing the configuration makes this get prolonged.

    Please let us know if that doesn't help in your case for further analysis.

    Regards,
    Subhash

    Tuesday, March 31, 2020 7:21 PM
  • I tried purging and restarting the endpoint and nothing has changed, but if it can take 24 hours (so much…) I will wait and give feedback tomorrow.

    Thanks,

    Dan

    • Edited by DanVe Wednesday, April 1, 2020 3:02 PM
    Wednesday, April 1, 2020 2:59 PM
  • I purged and it still does not work. Level access is private. I tried with another CDN Verizon instead of Akamai too and they both return Authentication Failure.
    Friday, April 3, 2020 7:18 AM
  • Hi, 

    When you get 403, its forbidden or access denied by the Storage Firewall. 

    The reason you get that is because CDN will act as a proxy where the source IP will change from the IP which you have white listed in Storage Firewall. 

    hence you are not able to access when Firewall is enabled. So, you retrieve the POP IPs from here and then whitelist those IP in your storage account to get this working. 

    Regards, 

    Msrini

    Friday, April 3, 2020 7:27 AM
  • Hi,

        sorry for delay of response, but I was busy these days. I inserted all IPs of the list (so many...) and I purged the endpoint, but I still have the Unauthorized response. Both in Verizon and Akamai CDN.

    Dan

    Wednesday, April 8, 2020 2:10 PM
  • Hello,

    Just checking in to see if the above answer helped in solving your problem. Kindly let us know if you have any further questions on this specific topic, we would be more than happy to assist you & please do mark the post which was helpful by clicking on Mark as Answer & Up-Vote to help the community find the right answers.

    Regards,
    Subhash
    Monday, April 13, 2020 4:56 PM
  • Due to the nature of CDN I accept msrini's answer. I believe a firewall on the storage account can not be the right solution to limit accesses.

    Thanks,

    Dan

    Tuesday, April 14, 2020 8:47 AM