locked
Azure storage accessible by Azure CDN only RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    2
    Sign in to vote

    Hello All,

    Could you please help me to find the solution for Accessing Storage from Azure CDN only.

    While making CDN configuration, we provide endpoint host.

    As storage is public which can be access directly which prune to DDoS attack, so we need access storage from CDN only, so that in CDN we can configure all security configuration.

    Thanks

    Satyajit

    Tuesday, December 17, 2019 8:09 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello Satyajit, 

    Solution that worked for me is to use SAS authentication for the container. That will resolve first part of the question, and that is to make content not accessible from the storage URL. 

    Second part is making CDN work with SAS key in URL. You don't want to have SAS hard-coded and visible, and for that you can use Verizon Premium CDN and use URL rewrite rule to include the key.

    Those two articles helped me to write working re-write rule (my solution is very specific, therefore I won't share my url rewrite rule since that will not be replicable to other scenarios).

    Unfortunately i can't include the links in the answer but im sure you can find them by names:

    StackAzure CDN with Verizon - Rewriting URL to always load index.html"
    MSDN forums: "Verizon CDN Premium / SAS Blob Storage Rewrite"

    I hope this helps.

    • Marked as answer by satyajittarai Wednesday, February 12, 2020 11:33 AM
    Thursday, January 2, 2020 3:30 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    As far as i know a blob can be accessed though SAS token or you can add a specific user in to the list of managed identity users in-order to access the blob and even in this case the primary key to access is blob is SAS.

    If you think your question has been answered, click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.

    Best regards
    Subhash



    • Marked as answer by satyajittarai Wednesday, February 12, 2020 11:33 AM
    Monday, January 6, 2020 9:26 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Azure Storage does not yet natively support HTTPS with custom domains. With Azure CDN, you can access blobs by using your custom domain name over HTTPS. To do so, enable Azure CDN on your blob or web endpoint and then map Azure CDN to a custom domain name. After you're done, Azure simplifies enabling HTTPS for your custom domain via one-click access and complete certificate management.

    To enable HTTPS for your custom Blob storage endpoint, do the following:

    1. Integrate an Azure storage account with Azure CDN.
    2. Map Azure CDN content to a custom domain.
    3. Enable HTTPS on an Azure CDN custom domain.

    FYR:Azure CDN to access blobs

    If you think your question has been answered, click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.

    Best regards
    Subhash

    Tuesday, December 17, 2019 1:51 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

     

    Just checking in to see if the above answer helped in solving your problem. Kindly let us know if you have any further questions on this specific topic, we would be more than happy to assist you & please do mark the post which was helpful by clicking on Mark as Answer & Up-Vote to help the community find the right answers.

     

    Regards,

    Subhash

    Friday, December 27, 2019 6:51 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Is there any update on the issue?

    If the suggested answer helped for your issue, do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members.

    Thursday, January 2, 2020 5:47 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    If you want to restrict blob storage access through blob.core.windows.net url and the content to be accessible only through CDN then you can setup SAS authentication for the container. When a user requests the CDN url with the SAS key, the CDN will request the asset from blob using the SAS url if it is not already cached.

    If you wish to keep the SAS token hidden from the end customer completely, you can use a Verizon Premium profile and use a URL rewrite rule to add the SAS token from the CDN side.

    Here is a similar thread from SO for your reference.

    If you think your question has been answered, click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.

    Best regards
    Subhash

    Thursday, January 2, 2020 12:19 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello Satyajit, 

    Solution that worked for me is to use SAS authentication for the container. That will resolve first part of the question, and that is to make content not accessible from the storage URL. 

    Second part is making CDN work with SAS key in URL. You don't want to have SAS hard-coded and visible, and for that you can use Verizon Premium CDN and use URL rewrite rule to include the key.

    Those two articles helped me to write working re-write rule (my solution is very specific, therefore I won't share my url rewrite rule since that will not be replicable to other scenarios).

    Unfortunately i can't include the links in the answer but im sure you can find them by names:

    StackAzure CDN with Verizon - Rewriting URL to always load index.html"
    MSDN forums: "Verizon CDN Premium / SAS Blob Storage Rewrite"

    I hope this helps.

    • Marked as answer by satyajittarai Wednesday, February 12, 2020 11:33 AM
    Thursday, January 2, 2020 3:30 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thank You Subhash, I will try this way.

    Could we do OAI(origin access identity) in cdn/blob storage, so that blob will accessible through cdn only?

    Thanks
    Monday, January 6, 2020 7:24 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thanks, I will try this way.

    Could we do OAI(origin access identity) in cdn/blob storage, so that blob will accessible through cdn only?

    Thanks
    Monday, January 6, 2020 7:24 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    As far as i know a blob can be accessed though SAS token or you can add a specific user in to the list of managed identity users in-order to access the blob and even in this case the primary key to access is blob is SAS.

    If you think your question has been answered, click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.

    Best regards
    Subhash



    • Marked as answer by satyajittarai Wednesday, February 12, 2020 11:33 AM
    Monday, January 6, 2020 9:26 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Sorry. I was not online.

    Thanks for answer.

    Does taking advance security will help storage from external threats like DDoS attack , xss etc? If OAI is not available.

    Regards

    Satyajit

    Wednesday, February 12, 2020 11:36 AM