How to add restirction that only Azure CDN can access the static website in storage accounts container. No direct access of static website blob URL

Dhanush kumar Sivaji 45 Reputation points
2023-02-27T18:14:07.9633333+00:00

Hi,

I have created a blob container and made it a static website hosting, where inside the $web folder I have put all the build files of my react application. Please refer to the below image
blob

And I have enabled the CDN for the storage account. Add the below rules
rules

Azure CDN URL - https://ghcrablobcdn.azureedge.net
Static Website URL - https://ghcrablobcdn.z13.web.core.windows.net/

Now I want to make that only Azure CDN can access the static website URL, Direct access to the Static Website URL has to be prohibited or it shows 404, like that.

How can I add this restriction?
Do I have to add any network restriction or like that ?
your help or solution would be appreciated

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,003 questions
Azure Content Delivery Network
{count} vote

Accepted answer
  1. SaiKishor-MSFT 17,236 Reputation points
    2023-03-03T20:45:45.2733333+00:00

    @Dhanush kumar Sivaji I apologize for the confusion. Itseems like you have manually setup static website in a Blob instead of the usual approach i.e., https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website-how-to?tabs=azure-portal

    Is that right?

    If so, yes you can add the IPs for CDN in the firewall section. The only time, you cannot do it if you are using the static website option as mentioned above directly from the portal.

    You can find the specific POP IPs for the CDN endpoint as mentioned here- https://learn.microsoft.com/en-us/azure/cdn/cdn-pop-list-api using REST API. If you want specific IPs, you can look at your logs in the storage account to confirm the source IPs at this time. However, please note that these IPs are dynamic and are prone to change from time to time.

    Here is an example of the Activity logs showing the action performed and in the JSON section, I can see the IP address that it is coming from-

    2023-03-03 12_57_10-Put blob container - Microsoft Azure and 14 more pages - Work - Microsoft​ Edge

    Hope this helps. Please do let me know if you have any further questions or concerns and I will be glad to assist further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. SaiKishor-MSFT 17,236 Reputation points
    2023-03-01T22:44:41.0866667+00:00

    @Dhanush kumar Sivaji Thanks for reaching out to Microsoft Q&A.

    Please note that- Disabling public access on a storage account does not affect static websites that are hosted in that storage account. Additionally, you can modify the public access level of the $web container, but this has no impact on the primary static website endpoint because these files are served through anonymous access requests. That means public (read-only) access to all files. So this is not an option currently when using static website hosting in Azure Storage. If you would like, you can submit a feature request on our feedback forum which will be reviewed by our product teams.

    Hope this helps. If you have any further questions or concerns, please do let me know. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.