@Chris
A. Does Azure CDN come with a web application firewall which is what our business analyst claims? I thought only Azure Front Door and Azure application gateway had it?
B. Stateful Inspection – Does Azure CDN only provide this? The business analyst claims no Azure Front Door or Azure App Gateway is needed as we are using a CDN endpoint
C. Intrusion Prevention – Does Azure CDN only provide this? The business analyst claims no Azure Front Door or Azure App Gateway is needed as we are using a CDN endpoint
- Azure CDN does not provide the above two features. However, it does provide security features such as Geo-filtering, DDOS protection, Token authentication etc.,
If you need additional security, you can enable WAF for CDN which will provide an extra layer of security.
"WAF defends your web services against common exploits and vulnerabilities. It keeps your service highly available for your users and helps you meet compliance requirements."
The security features that WAF for CDN provides are given here in document- https://learn.microsoft.com/en-us/azure/web-application-firewall/cdn/cdn-overview
D. Anti-Malware – I understand we receive Microsoft Defender ATP and the price for a storage account using Azure Standard Tier of Security Center from https://azure.microsoft.com/en-us/pricing/details/security-center/ is $0.02/10K transactions. What counts as a transaction for a storage account?
- Please reach out to customer support regarding pricing questions.
E. To protect the storage account from being accessed from Internet, the server admin went to Storage Account->Configuration->Disable Blob public access. Then, a CDN endpoint was configured so users on the Internet could use that to access the static website. Is that secure enough to prevent any user on the Internet from accessing the storage account directly? The business analyst claims no Azure Front Door or Azure App Gateway is needed as we are using a CDN endpoint and this should be secure enough.
- With Azure CDN, it will access the storage account from any of its POP IPs. Therefore, you can still block all internet traffic but still need to allow these IPs. More information on this is here- https://learn.microsoft.com/en-us/azure/cdn/cdn-pop-list-api
If you are looking for security with CDN, as discussed previously, WAF can be implemented.
F. Is there a WAF solution outside of Azure Front Door, Azure Application gateway which can be used for protecting storage accounts which is free for 5 rules? I don't know where our business analyst got that idea and is suggesting to use that as a cheap option. Does anything like this exist in Azure for protecting storage accounts?
If you have any further questions/concerns, please feel free to reach us out anytime and we will be glad to assist you further. Thank you!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 28.000000000000004%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 85%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 36%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)