Azure Storage Account - Public Access via Azure Front Door Endpoint - Firewall Setting

juni dev 336 Reputation points
2024-08-30T14:19:48.2533333+00:00

Hi, I have a storage account static website being accessed via Azure FrontDoor. It works well with "Public network access" option set to "Enabled from all networks". If I set it to "Enabled from selected VNETs and IPs" I'll need to add to the firewall exceptions the CIDRs of the FrontDoor, right?

Q1: Where can I find the list of IPs used by Azure FrontDoor to reach my storage account?

Q2: Will it use specific IPs of our FD instance/setup or IPs used by globally?

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
690 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
677 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,498 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sai Prasanna Sinde (Quadrant Resource LLC) 1,000 Reputation points Microsoft Vendor
    2024-09-02T07:25:13.25+00:00

    Hi @juni dev ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    Q1: Where can I find the list of IPs used by Azure Front Door to reach my storage account?

    • The AzureFrontDoor.Backend service tag offers a detailed list of IP addresses used by Azure Front Door to access your storage account. This service tag encompasses all the IP addresses Azure Front Door uses to connect to your origins, such as Azure Storage accounts. By incorporating this service tag into your network security group rules, you can effectively control Azure Front Door's access to your storage account.

    For your reference: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#what-are-the-network-service-tags-that-front-door-supports-

    Q2: Will it use specific IPs of our FD instance/setup or IPs used by globally?

    • Azure Front Door operates on a globally shared IP address space rather than using specific IPs for individual instances. As a result, the IP addresses associated with Azure Front Door are shared among all users and are subject to change. For stable configuration, it is recommended to utilize the AzureFrontDoor.Backend service tag instead of hard-coding certain IP addresses.

    For your reference: https://learn.microsoft.com/en-us/azure/frontdoor/origin-security?tabs=app-service-functions&pivots=front-door-standard-premium#ip-address-filtering

    https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#does-azure-front-door-have-the-capability-to-load-balance-or-route-traffic-within-a-virtual-network-

    3.Managing a large number of IP addresses is not advisable as mentioned, especially since they frequently change. Therefore, it's recommended to use a different approach for this purpose.: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-enable-private-link-storage-account

    Kindly let us know if the above helps or you need further assistance on this issue.

    If the answer is helpful, please click "Accept Answer" and "Upvote it.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.