How to Restrict Azure Storage Access to Specific Domains Similar to Cloudflare's WAF?

Question

I'm using Azure Blob Storage to host images for my website, and I want to ensure that only my specified domain(s) can access these images. Essentially, I need to block all access from other domains, similar to how Cloudflare's Web Application Firewall (WAF) operates.

I've tried various methods, including setting up Azure CDN, Azure Front Door, and even creating custom rules, but none of these approaches have worked as intended. I also looked into using Shared Access Signatures (SAS), but it doesn't seem to fit my requirements.

My goal is to configure Azure Blob Storage so that even if a user opens developer tools (F12), copies the image URL, and pastes it directly into the browser's address bar, they should not be able to view the image unless it's accessed through my specified domain.

Is there a way to achieve this level of domain-specific access control in Azure Blob Storage? How can I prevent unauthorized direct access to my blob URLs while allowing my domain to serve these images?

Answer 1

@Phạm Trung Azure Blob Storage doesn’t natively support direct domain-based access control for blob URLs.

However, Azure Storage Accounts provide built-in firewall settings that allow you to restrict access based on IP ranges and virtual networks. You can do this by going to Azure Portal -> your Azure storage account-> Security + Networking->Networking -> Firewalls and virtual networks. While it doesn't restrict access by domain name, you can restrict access by the public IP address associated with the domain.

If you only want to block reading you could encrypt the files (although that would require decryption on the other end).

Authorize access to blobs using Microsoft Entra ID