Share via

I got Service unavailable error when using Azure front door origin authentication to access blob storage

Bob Chandra (PALADOR INC) 20 Reputation points Microsoft External Staff
2025-06-09T05:18:11.87+00:00

I need to disable SAS for our storage account due to Microsoft's compliance. I already add Storage Blob Data Reader role for AFD to the storage account, set all protocol settings to HTTPS.

Somehow, I got below error when accessing the route: User's image I observe the browser network, it shows error 500 without any error message.

Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,529 questions
0 comments
Accepted answer
  1. Nandamuri Pranay Teja 3,610 Reputation points Microsoft External Staff Moderator
    2025-06-09T06:51:33.7033333+00:00

    Hello Bob Chandra,

    Thank you for your question!

    Although you have assigned the role, there are instances when the system-assigned managed identity for the AFD profile may not be completely provisioned or accurately represented.

    • Go to your Azure Front Door Premium profile in portal. Under Settings, select Identity.
    • Ensure that System assigned status is On. If it was off or recently turned on, note down the Object ID displayed here.
    • Confirm Role Assignment**:** Navigate to your Storage Account -> Access control (IAM) -> Role assignments.
    • Filter by Storage Blob Data Reader. Confirm that the Front Door profile's managed identity (using the Object ID you noted) is explicitly listed and assigned this role at the storage account scope. If you assigned it at a higher scope (resource group or subscription), it should still apply but verify.

    Please be informed that disabling SAS reduces the public accessibility of your storage account. If the "Public network access" setting is configured to Disabled or Enabled for specific virtual networks and IP addresses, Front Door requires a method to access it. Merely possessing the managed identity role is insufficient; the network route must also be accessible.

    • Go to your Storage Account -> Networking -> Private endpoint connections.
    • Create a Private Endpoint for your Blob service within the Virtual Network that your Front Door Premium origin group can access. This ensures that the traffic between Front Door and your storage account flows entirely over the Azure backbone, bypassing public firewalls.
    • Crucial for AFD Premium**:** In your Front Door profile, when configuring the Origin in the Origin Group that points to your storage account, ensure you have "Private Link" enabled and configured to use this private endpoint. This tells Front Door to connect privately.

    Even minor discrepancies in the origin or route setup can result in connection failures.

    • Go to your Front Door Premium profile -> Origin groups.
    • Select the Origin Group that contains your Blob Storage.
    • Check the origin's details: Origin host name**:** This must be the full FQDN of your storage account's blob service endpoint (e.g., yourstorageaccount.blob.core.windows.net). Do NOT include http:// or https://. HTTP/HTTPS ports: Ensure they are correct (typically 80 for HTTP, 443 for HTTPS).
    • Verify Routing Rule: Go to Routing rules in your AFD profile.
    • Select the rule that serves your images.
    • Ensure it points to the correct Origin Group and that the Origin host header setting within the routing rule is also correctly set to the storage account FQDN.

    References:

    1. https://learn.microsoft.com/en-us/azure/frontdoor/rules-match-conditions?tabs=portal&pivots=front-door-standard-premium
    2. https://learn.microsoft.com/en-us/azure/frontdoor/front-door-routing-architecture?pivots=front-door-standard-premium

    Hope the above answer helps! Please let us know do you have any further queries.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members. 

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 9,780 Reputation points
    2025-06-09T08:21:47.3233333+00:00

    Hi ther Bob,

    thanks for posting this, its a tricky one but we'll sort it out ))

    make sure u set up the managed identity for azure front door. then go to the storage account, under access control, add the front door's managed identity and give it the 'storage blob data reader' role. super important step! here's the doc from microsoft that explains it step by step https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad. also check if u enabled 'allow blob public access' as disabled, since u're using aad auth now.

    for stuff that works anywhere )) when u get that 500 error, its usually a backend thing. try hitting the storage url directly from postman or curl, see if it gives more details. sometimes its just a cors issue or the blob might not exist. worth looking into the storage account logs too, they often spill the beans on what's really wrong. this might help in other tools too when debugging similar issues.

    aha, and one more thing! make sure the front door backend pool points to the storage account's primary endpoint, not some random url. seen that trip people up before :))

    let us know how it goes

    Best regards,

    Alex

    and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer
PPS That is my Answer and not a Comment

    https://ctrlaltdel.blog/

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.