Hello, I am implementing Azure Front Door with a single Azure Storage Account that contains multiple containers , each designated for a specific environment (e.g., dev, QA, UAT, etc.). My goal is to use Azure Front Door Private Endpoints to securely expose the respective containers per environment while integrating this setup with Azure DevOps release pipelines . Issue: I have configured Azure Front Door routing to forward requests to the correct storage container for each environment. However, I am consistently encountering a 404 - WebContentNotFound error when trying to access the content via Azure Front Door. The container paths exist in the storage account, but Azure Front Door does not seem to resolve them correctly. Configuration Details: Storage Account: One storage account with multiple environment-specific containers. Azure Front Door Routing: Patterns to match: /dev-finance-central/* , /* , /path Origin path: /dev-finance-central/ Forwarding protocol: Match incoming request All containers are private , and I am using private endpoints . Questions: How should the Azure Front Door routing rules be set up correctly for each environment-specific container? How do I ensure that Azure Front Door properly forwards requests to the storage container via the private endpoint ? Is there an additional configuration required in Azure Storage, Private Endpoints, or Azure Front Door to avoid the 404 WebContentNotFound error ? How can I integrate this setup into Azure DevOps release pipelines for smooth deployment? I have attached screenshots of my Azure Front Door routing setup, storage account structure, and error message for reference. Any guidance on resolving this issue would be highly appreciated. Thanks! Issue: I have configured Azure Front Door routing to forward requests to the correct storage container for each environment. However, I am consistently encountering a 404 - WebContentNotFound error when trying to access the content via Azure Front Door. The container paths exist in the storage account, but Azure Front Door does not seem to resolve them correctly. Configuration Details: Storage Account: One storage account with multiple environment-specific containers. Azure Front Door Routing: Patterns to match: /dev-finance-central/* , /* , /path Origin path: /dev-finance-central/ Forwarding protocol: Match incoming request All containers are private , and I am using private endpoints . Questions: How should the Azure Front Door routing rules be set up correctly for each environment-specific container? How do I ensure that Azure Front Door properly forwards requests to the storage container via the private endpoint ? Is there an additional configuration required in Azure Storage, Private Endpoints, or Azure Front Door to avoid the 404 WebContentNotFound error ? How can I integrate this setup into Azure DevOps release pipelines for smooth deployment? I have attached screenshots of my Azure Front Door routing setup, storage account structure, and error message for reference. Any guidance on resolving this issue would be highly appreciated. Thanks! Abdul

Hi @ Gafoor, Abdul Since you are using Azure Front Door with the Standard tier to access the storage account privately via a private endpoint, the Standard tier does not support the private connectivity option, even if the private endpoint is enabled in the storage account. If you are not using the private link feature and are still on the Standard tier in Azure Front Door, your origin will be accessed publicly . This means your storage account should be on a public network , as there is no way to access it privately from AFD. You can refer to the AFD architect regarding the traffic flow, including how AFD will access the PaaS service or how the origin can be hosted in a virtual network (e.g., virtual machine). Reference: Secure your Origin with Private Link in Azure Front Door Premium | Microsoft Learn I hope this is helpful! Do not hesitate to let me know if you have any other questions.

Azure Front Door with Storage Account Containers for Each Environment – 404 Issue

Gafoor, Abdul 0

Hello,

I am implementing Azure Front Door with a single Azure Storage Account that contains multiple containers, each designated for a specific environment (e.g., dev, QA, UAT, etc.). My goal is to use Azure Front Door Private Endpoints to securely expose the respective containers per environment while integrating this setup with Azure DevOps release pipelines.

Issue:

I have configured Azure Front Door routing to forward requests to the correct storage container for each environment.
However, I am consistently encountering a 404 - WebContentNotFound error when trying to access the content via Azure Front Door.
The container paths exist in the storage account, but Azure Front Door does not seem to resolve them correctly.

Configuration Details:

Storage Account: One storage account with multiple environment-specific containers.
Azure Front Door Routing:
- Patterns to match: /dev-finance-central/*, /*, /path
  - Origin path: /dev-finance-central/
    - Forwarding protocol: Match incoming request
    - All containers are private, and I am using private endpoints.

Questions:

How should the Azure Front Door routing rules be set up correctly for each environment-specific container?
How do I ensure that Azure Front Door properly forwards requests to the storage container via the private endpoint?
Is there an additional configuration required in Azure Storage, Private Endpoints, or Azure Front Door to avoid the 404 WebContentNotFound error?
How can I integrate this setup into Azure DevOps release pipelines for smooth deployment?

I have attached screenshots of my Azure Front Door routing setup, storage account structure, and error message for reference.

Any guidance on resolving this issue would be highly appreciated.

Thanks!

Issue:

I have configured Azure Front Door routing to forward requests to the correct storage container for each environment.
However, I am consistently encountering a 404 - WebContentNotFound error when trying to access the content via Azure Front Door.
The container paths exist in the storage account, but Azure Front Door does not seem to resolve them correctly.

User's image

Configuration Details:

Storage Account: One storage account with multiple environment-specific containers.
Azure Front Door Routing:
- Patterns to match: /dev-finance-central/*, /*, /path
  - Origin path: /dev-finance-central/
    - Forwarding protocol: Match incoming request
    - All containers are private, and I am using private endpoints.

Questions:

How should the Azure Front Door routing rules be set up correctly for each environment-specific container?
How do I ensure that Azure Front Door properly forwards requests to the storage container via the private endpoint?
Is there an additional configuration required in Azure Storage, Private Endpoints, or Azure Front Door to avoid the 404 WebContentNotFound error?
How can I integrate this setup into Azure DevOps release pipelines for smooth deployment?

I have attached screenshots of my Azure Front Door routing setup, storage account structure, and error message for reference.

Any guidance on resolving this issue would be highly appreciated.

Thanks!
Abdul

Praveen Bandaru 425 Reputation points Microsoft Vendor

2025-02-07T12:03:29.37+00:00

Hello Gafoor, Abdul

Greetings!

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

To access cached content with Azure Front Door,

This problem can be solved with Azure Front door routing for Azure Blob Storage.

You need to access AFD custom domain with below format:

http://<endpoint-name-with-hash-value>.z01.azurefd.net/Container>/<BlobName>

With this solution, requests such as "https://custom domain /Container/<blob_to_be_uploaded>" will be directed to the corresponding underlying storage account, i.e., "https://example.blob.core.windows.net/testcontainer/<blob_to_be_uploaded>

Try to check storage account with this if it has any read only access. Try changing the Access level to: Blob
Gafoor, Abdul 0 Reputation points

2025-02-07T12:22:22.16+00:00

Hello Praveen,
Thank you for your response.
I changed to Blob but still I am getting 404 only
Praveen Bandaru 425 Reputation points Microsoft Vendor

2025-02-07T12:48:39.7466667+00:00

Hello Gafoor, Abdul

Greetings!

Thank you for response.

Please let me know if you enabled the private link in the AFD or if you only associated it with the storage account.

Please update the routing rule to change the incoming request path to /* and set the origin path as default.

Could you please try to test with Container anonymous read access for testing.
Gafoor, Abdul 0 Reputation points

2025-02-07T13:01:43.6033333+00:00

I tried by making access as Container Level still getting 404
Praveen Bandaru 425 Reputation points Microsoft Vendor

2025-02-07T13:28:03.0266667+00:00
Hello Gafoor, Abdul

Greetings!

Thank you for response.

For further investigation please share the below information:

Please let me know while accessing your backend URL it is working or not.

Please let me know if you enabled the private link in the AFD or if you only associated it with the storage account.

If this occurs, make sure: There is no whitespace in the index document name.

Azure storage account - index.html

The Case matters, make sure if the filename is all lowercase in the container, then it’s all lowercase in the Azure storage account

verify that the file is available on the origin server and is accessible. The quickest way to do that is to open a browser in a private or incognito session and browse directly to the file. Type or paste the URL into the address box and verify that it results in the file you expect.
Gafoor, Abdul 0 Reputation points

2025-02-07T13:39:56.78+00:00

When I used the storageaccount url it is working.

When I try to access the folder inside the container then I am getting the Resource not found or BlobNotFound
Praveen Bandaru 425 Reputation points Microsoft Vendor

2025-02-07T14:13:16.6866667+00:00

Hello Gafoor, Abdul

Greetings!

Could you please let me know if you are using the Standard or Premium SKU? Also, in the meantime, please try to perform a purge operation and inform me of the results.

Please let me know if you enabled the private link in the AFD or if you only associated it with the storage account.
Gafoor, Abdul 0 Reputation points

2025-02-07T14:21:55.9533333+00:00

I did the purge command and I am using Standard version. still getting 404.

Can you please tell me how can I check private link is enable?
Praveen Bandaru 425 Reputation points Microsoft Vendor

2025-02-07T14:48:14.8033333+00:00

Hello Gafoor, Abdul

Greetings!

Thank you for your response.

I understand that you are using the front door standard SKU, which does not support the private link feature. If you want to use the private link service, you need to upgrade to the premium tier. Otherwise, you need to remove the private link in the storage and test it.

Check the below screen shot:

Kindly check the below public document for more understanding:

https://learn.microsoft.com/en-us/azure/frontdoor/integrate-storage-account

I hope this has been helpful!

Your feedback is important so please take a moment to accept answers. If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Gafoor, Abdul 0 Reputation points

2025-02-07T14:56:49.35+00:00

I don't think we need premium for private endpoint. Private link is different.
So, you didn't understand the problem.

I want to use the private endpoint for my static website. and I achieved with the standard version. with single storage account($web and $logs) without using any extra containers.
Now I want to achieve that with the help of extra containers what I had added for each environment without using a single storage account instead of multiple for every environment.
Praveen Bandaru 425 Reputation points Microsoft Vendor

2025-02-07T16:00:57.84+00:00

Hello Gafoor, Abdul

Greetings!

Could you please confirm if you are implementing the following scenario?

AFD -----> Private link----> Storage account

Are you following the below document:

https://learn.microsoft.com/en-us/azure/frontdoor/private-link

Kindly review the screenshots below:

For further investigation, please share a screenshot of your origin page in the Azure portal.
Gafoor, Abdul 0 Reputation points

2025-02-09T03:18:33.4233333+00:00

No, I am talking about this document, please check once. https://learn.microsoft.com/en-us/azure/frontdoor/create-front-door-cli.

So, here they are used one storage account, but I want to use different containers for each environment in single storage account.
It means
the private endpoints link will be
dev-finance-central-<Random Text>.a02.azurefd.net/dev/index.html
qa-finance-central-<Random Text>.a02.azurefd.net/qa/index.html
uat-finance-central-<Random Text>.a02.azurefd.net/uat/index.html
Gafoor, Abdul 0 Reputation points

2025-02-10T06:46:10.5633333+00:00

Hello Praveen, Can you please check this once?

Waiting for your reply
Praveen Bandaru 425 Reputation points Microsoft Vendor

2025-02-10T10:43:04.7433333+00:00

Hello Gafoor, Abdul

Greetings!

Please accept my sincere apologies for the delay in response.

In the case of an Azure storage account configured with an Azure network private endpoint, we suggest removing the private endpoint for the blob in the storage account.

As for Azure AFD standard SKU, the origin should be internet-facing.

Do try by checking the Azure resource exceptions at the bottom of the configuration,

This should work if AFD is listed under trusted services
Vallepu Venkateswarlu 0 Reputation points Microsoft Vendor

2025-02-10T13:48:37.26+00:00

Hi @Gafoor, Abdul

Welcome to the Microsoft Q&A Platform.

Thank you for reaching out, & I hope you are doing well.

Can you confirm if you are able to access the blob URL with public access from Front Door?

AFAIK, you can't connect to Azure Blob using a Frontdoor endpoint with a private endpoint; the only option to access the blob from Frontdoor is through Private Link. Follow the MS Doc for more details

Reference:

Configure rule sets in Azure Front Door
https://learn.microsoft.com/en-us/azure/frontdoor/private-link#how-private-link-works
https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-enable-private-link-storage-account
Vallepu Venkateswarlu 0 Reputation points Microsoft Vendor

2025-02-11T05:26:23.0333333+00:00

Hi @Gafoor, Abdul

As per the MS doc, you can only access the storage blob via a private link from the Azure Front Door endpoint Follow the Doc: https://learn.microsoft.com/en-us/azure/frontdoor/private-link

I hope this is helpful! Do not hesitate to let me know if you have any other questions.
Gafoor, Abdul 0 Reputation points

2025-02-11T07:36:08.16+00:00

Hi @Vallepu Venkateswarlu
Thank you for reaching me out.

If we are not enabling the private endpoint for the AFD, is it possible to use multiple containers in a single storage account?
I may be ok not using the private link
Vallepu Venkateswarlu 0 Reputation points Microsoft Vendor

2025-02-11T10:21:54.84+00:00

Hi @Gafoor, Abdul

Thanks for your reply.

If you are not using the private link feature and are still using the standard tier in Azure Front Door, your origin will be accessed publicly, as there is no way to access your storage account via privately from AFD.

Referecne: https://learn.microsoft.com/en-us/azure/frontdoor/private-link

1 answer

Vallepu Venkateswarlu 0 Reputation points Microsoft Vendor

2025-02-11T12:21:28.3833333+00:00

Hi @Gafoor, Abdul

Since you are using Azure Front Door with the Standard tier to access the storage account privately via a private endpoint, the Standard tier does not support the private connectivity option, even if the private endpoint is enabled in the storage account.

If you are not using the private link feature and are still on the Standard tier in Azure Front Door, your origin will be accessed publicly. This means your storage account should be on a public network, as there is no way to access it privately from AFD.

You can refer to the AFD architect regarding the traffic flow, including how AFD will access the PaaS service or how the origin can be hosted in a virtual network (e.g., virtual machine).

Reference: Secure your Origin with Private Link in Azure Front Door Premium | Microsoft Learn

I hope this is helpful! Do not hesitate to let me know if you have any other questions.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure Front Door with Storage Account Containers for Each Environment – 404 Issue

1 answer

Your answer