Azure CDN - Storage Static Website

Solonas Andreou 75 Reputation points
2023-09-21T05:59:11.28+00:00

Hi there ,

We create a storage account with a static website

Also we create a CDN profile with a custom domain and pass our certificate

The problem is that we want a white list for some IP addresses

We make that changes on Storage Firewall ( add the specific IP ) but this not work

Even if i have my IP on white list i can access the custom domain

I also try to go through the *.azureedge.net of CDN , the same response

but when i try to go through the origin hostname *.z6.web.core.windows.net it's working as expected

any ideas what goes wrong ?

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
677 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,171 questions
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 45,451 Reputation points Microsoft Employee
    2023-09-28T16:38:15.54+00:00

    @Solonas Andreou

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to whitelist only a certain IPs to access your CDN.

    • CDN uses it's own IP Address to access the Storage Account
    • The actual IP of the client making the request would be stored in "X-Forwarded-For" header.
    • You should consider using Standard rules engine for Azure CDN
    • Here, you must use the Remote address match condition
    • Currently, there is no "Allow" or "Block" option available for CDN.
      • Instead,
        1. you must redirect the request to a custom Error page
          or
          1. Rewrite the URL path to a container that stores a static error page in the same storage account.
            User's image

    Wrt, "Rewrite the URL path to the $web container that stores a static error page "

    • As stated above, You must create a custom error page on your own. Let's call it "error.html"
    • The "error.html" will not exist by default.
    • "index.html" is your static site.

    Now, I see you would like to allow only a certain IP. In this case,

    User's image

    The reason why we should use this configuration is:

    • CDN is allow by default.
    • So, "explicitly creating a rule and Allowing the IP" does not actually do anything.
    • Instead, you must URL rewrite everything else except your expected IP to a custom error page.

    Wrt Storage Firewall,

    Make sure "Allow Azure services on the trusted services list to access this storage account" is enabled. User's image

    Cheers,

    Kapil


    Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.