Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to leverage Azure Front Door Premium storage account origin with Private Link
Apologies for the delay, as I was deploying a Lab.
Your configuration steps are correct. It is just that we overlooked the "Change Access level " property of the Storage Account.
Refer : Configure anonymous public read access for containers and blobs
- The "Private" does not mean access is restricted to only Private IPs
- In fact, this setting does not influence the networking part at all (atleast, not at HTTP level)
- It actually means access is only provided for "Authorized requests".
- No public read access: The container and its blobs can be accessed only with an authorized request. This option is the default for all new containers.
- Network Access is actually controlled and provided to the Storage Account as a whole.
Now, for your case, you must either use a
Shared Key (storage account key) or
Shared access signature (SAS)
We can actually test this, Just by using Storage Account.
- Set the "Change Access level" to Private
- Try to access the blob in the container, you should see 404 - which is expected.
- Now, with the Access Level still as private, use a shared access signatures (SAS) and make the requests with it
- You will see, even with "Change Access level" to Private, you will be able to access it via Internet
So, this means, your request will become something like,
- https://<StorageAccountName>.blob.core.windows.net***/private/index.html***?<SASToken>
- And subsequently, your AFD request becomes,
- https://<AFDEndPointName>.azurefd.net***/private/index.html***?<SASToken>
Please let us know if we can be of any further assistance here.
Thanks,
Kapil
Please Accept an answer if correct.
Original posters help the community find answers faster by identifying the correct answer.