![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 85%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
816 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Thank you for reaching out.
Based on your questions above.
Is the Azure Front Door endpoint automatically removed if the associated storage account has been renamed or deleted?
To determine the health and proximity of each origin for a given Azure Front Door environment, each Front Door profile periodically sends a synthetic HTTP/HTTPS request to all your configured origins, these requests are called as health probe requests. A 200 OK status code indicates the origin is healthy. Any other status code is considered a failure.
Since the backend storage account will be renamed or deleted, the health probes will fail and FrontDoor will not serve the data, but the Front Door endpoint will not be removed.
If not, does that mean If I delete the storage account (associated with Azure FD) and then recreate a sensitive storage account with the same old name, it will be inadvertently exposed to the internet? Are there any protections I can put in place to avoid these scenarios?
I will answer this question in two parts based on how the old storage account was accessed by the Azure Front Door
- If the old storage account was linked to the Azure Front Door Via Private Link as shown here and when the storage account is deleted you will have to delete the private endpoint as well. When the new storage account is created again with the same name you will have to create a new private endpoint and link it to Azure Front Door. To answer your follow-up question you can use Network Policies to control traffic over private endpoints if you want to refine access rules. You can go through this documentation on securing access to the storage account.
- If the old storage account was linked to the Azure Front Door using its public URL then the new storage account can be accessible to the AFD when it has the same URL (Although in this case the storage account is itself is accessible over the internet). In order to prevent this you can use a shared access signature to secure requests to the storage account, and either have the client include the signature on all of their requests, or use the Front Door rules engine to attach it from Front Door.
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.