Restrict public access to Static Website in storage account and allow only through Azure CDN

SUYOG 6 Reputation points
2021-02-01T06:46:30.033+00:00

We are planning to host angular SPA serverless apps in azure storage account using static website enabled and configured to azure CDN endpoint.

From security perspective just wanted to hide public access to primary endpoint of storage account from public access and only user can access through azure CDN.

Any solution from it.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,757 questions
Azure Content Delivery Network
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
782 questions
{count} vote

3 answers

Sort by: Most helpful
  1. Sumarigo-MSFT 44,081 Reputation points Microsoft Employee
    2021-02-01T15:17:13.94+00:00

    @SUYOG Welcome to Microsoft Q&A Forum, Thank you for posting your query!

    There is similar thread discussion in the SO forum, Please refer to the suggestion and let me know if you face any issue or needed more information

    Additional information: Disabling public access on a storage account does not affect static websites that are hosted in that storage account. Additionally, you can modify the public access level of the $web container, but this has no impact on the primary static website endpoint because these files are served through anonymous access requests. That means public (read-only) access to all files. So this is not an option currently when using static website hosting in Azure Storage

    You cannot use private endpoint as a CDN origin. It needs to be public, You may refer to this article and let me know if you have any questions

    Also refer: Sometimes you need to check what access a user has to a set of Azure resources. You check their access by listing their assignments. A quick way to check the access for a single user is to use the Check access feature on the Access control (IAM) page.

    Cannot add Custom Domain to CDN with Azure Storage Static Website This suggestion provides some information for your scenario

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    -------------------------------------------------------------------------------------------------------------

    Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments No comments

  2. Jun Ye 21 Reputation points
    2021-09-20T18:14:52.92+00:00

    This is for my own reference in the future.

    Found this article:
    https://gunnarpeipman.com/access-restricted-blob-storage-from-azure-cdn/

    TLDR:
    When you enable firewall on storage account, add: 147.243.0.0/16 to exception, which appears to be CDN's public IP range.

    1 person found this answer helpful.
    0 comments No comments

  3. Andriy Bilous 10,996 Reputation points MVP
    2021-02-01T13:29:58.303+00:00

    Hello @SUYOG
    You can serve static content directly from a storage container named

    Static website option in Storage Account opens it for anonymous access. To protect the files in your storage account, you can set the access of your storage containers from public to private. If you want to grant limited access to private storage containers, you can use the Shared Access Signature (SAS) feature of your Azure storage account.

    To configure CDN with Static website please see an article that describes how to use SAS in conjunction with Azure CDN
    https://learn.microsoft.com/en-us/azure/cdn/cdn-sas-storage-support

    0 comments No comments