Applying AzureFrontDoor.Backend service tag to blob storage static site

Kenny Kawahara 41 Reputation points
2024-01-19T20:44:51.0433333+00:00

I have a static site enabled using the Azure Storage account feature which enables a site with a url like: <storageaccountname>.z#.web.core.windows.net I have also created a custom domain using Azure Front door with the blob storage static site as a backend origin. I would now like to disable public access to the original site and only allow traffic from the Front Door custom domain. In this Front Door documentation, they reference using a Service Tag called AzureFrontDoor.Backend, but I am at a loss as to how I might configure this for the Storage account's networking options which only accepts IP/CIDR ranges. Is what I'm trying to do possible with just Front Door Standard? Thanks for any guidance!

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
691 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,220 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,920 questions
{count} votes

2 answers

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 26,216 Reputation points Microsoft Employee
    2024-01-20T03:40:46.8066667+00:00

    Kenny KawaharaThank you for reaching out.

    I understand that you have Azure Storage static website added as a backend to Azure Front Door Standard and now you wish to restrict the static website to AzureFrontDoor.Backend service tag so that it can be only accessed using Azure Front Door.

    I do not think currently it is possible to deploy such configuration.

    • As you are using Standard AFD tier your storage account must be publicly accessible.
    • Currently IP network rules on a Storage Account do not support service tags and only IPV4 IP ranges can be added. AzureFrontDoor.Backend service tag also consists of IPv6 IP addreses.

    The recommended solution here will be to upgrade your Azure FrontDoor to Premium tier and access Azure Storage account by using Private Link. The storage account is configured to deny direct access from the internet, and to only allow requests through the private endpoint connection used by Front Door. This configuration ensures that every request gets processed by Front Door, and avoids exposing the contents of your storage account directly to the internet. You can follow the tutorial here to configure Azure Front Door Premium to a storage static website with Private Link.

    As documented here alternate solution here will be to use a shared access signature to secure requests to the storage account, and either have the client include the signature on all of their requests, or use the Front Door rules engine to attach it from Front Door.

    Hope this helps! Please let me know if you have any question here or need any additional help.

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Xavier 1 Reputation point
    2024-07-28T03:10:50.76+00:00

    Hi,

    I have a question if we lock down the access to storage account either private link then how we can deploy the content using Azure Devops CICD pipeline?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.