Azure Storage Website Internal Only Access

azuretechy 21 Reputation points


I have some specific requirements for new Azure Workload.

I am hosting a SPA on Storage Account as Azure Static Website. The Storage Account is behind the VNet and it can't be accessible unless you are within company's network. The SPA is intended for Internal staff use only and hence we can't have url to be accessible through internet. Also we will do custom dns bindings to use company domain url to access the website. I also have CDN above the Static Website so Access is only through CDN.

At the moment WAF + CDN option for Azure Static Website is not avaialble so I decided to use Microsoft Classic CDN. However the rules engine doesn't allow me to block the website access only thing I can do is redirect. However it is not acceptable as url is still exposed to public.

I would like some guidance on how I can achieve below requirments.

  1. Host SPA in Azure either as Static Website or Static Web Apps.
  2. Restrict access to the url for only internal company user logged into company network.
  3. Custom DNS bindings.
  4. Avoid using Azure Front Door if there is solution possible using alternative approach.

Thanks for your help.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
1,549 questions
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
318 questions
Azure Content Delivery Network
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
562 questions
{count} votes

1 answer

Sort by: Most helpful
  1. msrini-MSFT 5,676 Reputation points Microsoft Employee


    You can deploy an Azure Web App in Azure and configure Private Endpoints. When you configure Private Endpoints, then the Web App can only be accessible via the Private Endpoint and all Public traffic will get 401.

    When you deploy Private Endpoint, you will have a NIC deployed in Azure VNET, via which you can access the Web App. At this point of time, you will need to access the NIC from the your On-Premises.

    Reference :

    Karthik Srinivas

    No comments