Azure Storage Website Internal Only Access

azuretechy 21 Reputation points
2022-06-04T00:46:35.597+00:00

Hi

I have some specific requirements for new Azure Workload.

I am hosting a SPA on Storage Account as Azure Static Website. The Storage Account is behind the VNet and it can't be accessible unless you are within company's network. The SPA is intended for Internal staff use only and hence we can't have url to be accessible through internet. Also we will do custom dns bindings to use company domain url to access the website. I also have CDN above the Static Website so Access is only through CDN.

At the moment WAF + CDN option for Azure Static Website is not avaialble so I decided to use Microsoft Classic CDN. However the rules engine doesn't allow me to block the website access only thing I can do is redirect. However it is not acceptable as url is still exposed to public.

I would like some guidance on how I can achieve below requirments.

  1. Host SPA in Azure either as Static Website or Static Web Apps.
  2. Restrict access to the url for only internal company user logged into company network.
  3. Custom DNS bindings.
  4. Avoid using Azure Front Door if there is solution possible using alternative approach.

Thanks for your help.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,719 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
961 questions
Azure Content Delivery Network
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
770 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. msrini-MSFT 9,261 Reputation points Microsoft Employee
    2022-07-06T05:41:41.69+00:00

    Hi,

    You can deploy an Azure Web App in Azure and configure Private Endpoints. When you configure Private Endpoints, then the Web App can only be accessible via the Private Endpoint and all Public traffic will get 401.

    When you deploy Private Endpoint, you will have a NIC deployed in Azure VNET, via which you can access the Web App. At this point of time, you will need to access the NIC from the your On-Premises.

    Reference : https://learn.microsoft.com/en-us/azure/app-service/networking/private-endpoint

    Regards,
    Karthik Srinivas

  2. Luke Murray 10,526 Reputation points MVP
    2023-06-28T22:44:32.84+00:00

    Hi, AzureTechy

    This is how I would try to do it:

    You already have access to the Azure Static Webapp via a Private endpoint.

    Add a custom domain

    Then have your on-premises DNS point to the webapp.

    If you don't have a site-to-site or VPN connection to Azure, from your on-premises network, then you could either whitelist the public IP of your company network - OR look at Azure App Proxy and set this up in front of your Static WebApp, using AAD conditional access policies to control who can view it (keeping the private link). You may need a VM running on the same network to act as the proxy.

    0 comments