@McLean, James (Manx Telecom) ,
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I am afraid I am not exactly sure what your current set up but I take it that
- You are using a Azure Storage account integrated with Azure CDN and want Cloudflare to be in front of the CDN
- So the traffic flow should become : Cloudflare ----> CDN ----> Storage Account
- Please let me know if my observation is incorrect
The methods "cdnverify.foo.domain.com" and "asverify.foo.domain.com",
- Are used to add a custom domain to the CDN and App Service respectively
- i.e., used by Azure services
- These cannot be used by a 3rd party to validate the DNS.
Now,
- The reason you are getting a 4XX error is, I believe because of SNI
- Of course Azure CDN would not be aware of the hostname "foobar.domain.com.cdn.cloudflare.net" and if a request arrives at CDN endpoint with the hostname, it will throw a 4XX error.
- Same goes for "foobar.domain.com", unless you exclusively add the custom domain to the CDN, CDN will throw a 4XX error.
As next steps,
#1
- I am not sure why you are using DNS for redirecting requests from your 3rd party to the CDN
- Shouldn't you add "foobar.azureedge.net" as the backend (Origin) of your 3rd party service.
- Again, I am not an expert with 3rd party and it's configuration, but DNS CNAMEs looks like providing redirection instead of reverse proxy
- For e.g., consider CDN and Storage Account
- We do not map the CNAME of "foobar.azureedge.net" to "foobar.z22.web.core.windows.net"
- Instead, we just add the "foobar.z22.web.core.windows.net" as the backend of the CDN
- See : Create an Azure CDN profile and endpoint
- Similarly, please check with your 3rd party on how to properly add a backend to the reverse proxy.
#2
- Once done, you should be able to access the CDN (and in turn storage account) by "foobar.domain.com.cdn.cloudflare.net"
- Now, map the custom domain to the above 3rd party's endPoint
- You can refer to their docs on how to do this
Suggestions:
- You should consider using only one reverse proxy
- Either Azure CDN or the 3rd party service.
- i.e., add the Storage Account as the backend of either Azure CDN or the 3rd party but not both
- And configure custom domain in the reverse proxy
- For Azure CDN, Map Azure CDN content to a custom domain.
Hope this clarifies.
If my understanding of your set up is incorrect, please share a network diagram