Remove automatic Azure Front Door endpoint if the associated storage account has been deleted

TonyTo 0 Reputation points
2023-12-04T10:23:14.0166667+00:00

Hello,

Is the Azure Front Door endpoint automatically removed if the associated storage account has been renamed or deleted?

If not, does that mean If I delete the storage account (associated with Azure FD) and then recreate a sensitive storage account with the same old name, it will be inadvertently exposed to the internet?

Are there any protections I can put in place to avoid these scenarios?

Many Thanks,

Regards

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
627 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,913 questions
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,072 questions
{count} votes

1 answer

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 24,656 Reputation points Microsoft Employee
    2023-12-05T01:31:09.08+00:00

    @TonyTo

    Thank you for reaching out.

    Based on your questions above.

    Is the Azure Front Door endpoint automatically removed if the associated storage account has been renamed or deleted?

    To determine the health and proximity of each origin for a given Azure Front Door environment, each Front Door profile periodically sends a synthetic HTTP/HTTPS request to all your configured origins, these requests are called as health probe requests. A 200 OK status code indicates the origin is healthy. Any other status code is considered a failure.

    Since the backend storage account will be renamed or deleted, the health probes will fail and FrontDoor will not serve the data, but the Front Door endpoint will not be removed.

    If not, does that mean If I delete the storage account (associated with Azure FD) and then recreate a sensitive storage account with the same old name, it will be inadvertently exposed to the internet? Are there any protections I can put in place to avoid these scenarios?

    I will answer this question in two parts based on how the old storage account was accessed by the Azure Front Door

    • If the old storage account was linked to the Azure Front Door Via Private Link as shown here and when the storage account is deleted you will have to delete the private endpoint as well. When the new storage account is created again with the same name you will have to create a new private endpoint and link it to Azure Front Door. To answer your follow-up question you can use Network Policies to control traffic over private endpoints if you want to refine access rules. You can go through this documentation on securing access to the storage account.
    • If the old storage account was linked to the Azure Front Door using its public URL then the new storage account can be accessible to the AFD when it has the same URL (Although in this case the storage account is itself is accessible over the internet). In order to prevent this you can use a shared access signature to secure requests to the storage account, and either have the client include the signature on all of their requests, or use the Front Door rules engine to attach it from Front Door.

    Hope this helps! Please let me know if you have any additional questions. Thank you!


    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments