Restrict Azure Blob Container access to Azure CDN

4
votes

I have created Blob container and associated a CDN and everything is okay. I want to achieve following.

  1. No one should be able to access blob contents with blob.core.windows.net url.
  2. Content should be able to access using CDN only.

If I make the container private, even CDN is not able to access the content. If I make container public, content is available for direct access as well.

In AWS world its quite possible with access policy.

1
azureazure-blob-storageazure-cdn
I've found following: social.msdn.microsoft.com/Forums/azure/en-US/…Raja Vaida
Looks like you answered your own question. Just curious though, what difference it makes, if someone happens to download direct from storage vs cdn (aside from their potentially slower performance).David Makogon
1. I like to keep my blob details private. 2. I do not want users bookmark blob urls. I can switch off cdn endpoint whenever I want. 3. AWS allows this :-)Raja Vaida

1 Answers

4
votes

This is possible with a private container and a SAS url. When a customer requests the CDN url with the sas key, the CDN will request the asset from blob using the SAS url if it is not already cached.

If you wish to keep the SAS token hidden from the end customer completely, you can use a Verizon Premium profile and use a URL rewrite rule to add the SAS token from the CDN side.

Additional information on SAS: https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1#what-is-a-shared-access-signature

Additional information on CDN rewrite: https://docs.microsoft.com/en-us/azure/cdn/cdn-rules-engine-reference-features#url-rewrite