Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to whitelist only a certain IPs to access your CDN.
- CDN uses it's own IP Address to access the Storage Account
- The actual IP of the client making the request would be stored in "X-Forwarded-For" header.
- You should consider using Standard rules engine for Azure CDN
- Here, you must use the Remote address match condition
- Currently, there is no "Allow" or "Block" option available for CDN.
- Instead,
- you must redirect the request to a custom Error page
or- Rewrite the URL path to a container that stores a static error page in the same storage account.
- Rewrite the URL path to a container that stores a static error page in the same storage account.
- you must redirect the request to a custom Error page
- Instead,
Wrt, "Rewrite the URL path to the $web container that stores a static error page "
- As stated above, You must create a custom error page on your own. Let's call it "error.html"
- The "error.html" will not exist by default.
- "index.html" is your static site.
Now, I see you would like to allow only a certain IP. In this case,
The reason why we should use this configuration is:
- CDN is allow by default.
- So, "explicitly creating a rule and Allowing the IP" does not actually do anything.
- Instead, you must URL rewrite everything else except your expected IP to a custom error page.
Wrt Storage Firewall,
Make sure "Allow Azure services on the trusted services list to access this storage account" is enabled.
Cheers,
Kapil
Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.