Hi Ajay,
I understand that you want public access to storage container but only from allowed domains on webapp and private for the rest, I can sugest this configuraiton:
- Disable Anonymous Access: Ensure that anonymous access is disabled for your storage account to prevent unrestricted public access. Storage Account > Settings > Configuration > Allow Blob public access to Disabled.
- Set Up CORS (Cross-Origin Resource Sharing): Configure CORS rules to allow requests only from your specific web app domain. This will ensure that only requests from your allowed domains are processed. Storage Account > Settings > Resource sharing (CORS) > Allowed origins: Your web app domain (e.g.,
https://yourwebsite.com
) > Allowed methods: Select the HTTP methods you want to allow (e.g., GET, POST - Use Shared Access Signatures (SAS): Generate SAS tokens for your web app to access the blob storage. This way, you can control the permissions and the duration of access. Storage account > Settings > Shared access signature > Configure the SAS token with the necessary permissions (e.g., read, write) and set an expiration time. > Generate the SAS token and use it in your web app to access the blob storage.
Additional references:
- https://techcommunity.microsoft.com/t5/azure-paas-blog/public-access-is-not-permitted-on-this-storage-account/ba-p/3521288
- https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal
- https://learn.microsoft.com/en-us/azure/well-architected/service-guides/storage-accounts/security
If the information helped address your question, please Accept the answer.
Luis