9
votes

I hosted a simple website in Azure storage using the static website feature. The url of the website is now publicly available. (anyone with the url can access the website). But my intention is to provide access only to the users who I want to. Is there a way that can restrict the public access to the static website hosted in Azure storage?

2
Perhaps, If you'd like to, you could restrict the access to storage account with its firewall.docs.microsoft.com/en-us/azure/storage/common/… but this way could not restrict real user just networking access from that user.Nancy Xiong
@NancyXiong My intention is to make the static website available to users who use an other application which i develop and the users of that app only should be able to access this static website. for instance i want to host the documentation in the static website and make it available to the users who signup to use my application. I intend to have the documentation private.Takhi
@Takhi did you find a way to solve this? I am in the same situation.Cornel
@Cornel we used another way to publish the documentation and I haven't looked into this furtherTakhi
I know this is an old post, just found the below link which seems to address the problem docs.microsoft.com/en-us/answers/questions/149991/…Saneesh kumar

2 Answers

5
votes

Static website hosting makes the files available for anonymous access. If you need to control who can access the files, you can store files in Azure blob storage and then generate Using shared access signatures (SAS) to limit access.

The links in the pages delivered to the client must specify the full URL of the resource. If the resource is protected with a valet key, such as a shared access signature, this signature must be included in the URL. https://docs.microsoft.com/en-us/azure/architecture/patterns/static-content-hosting

You can try configure a CDN endpoint to hit a private Blob container (do not use Static Website feature because the endpoint is completely public) through SAS tokens. Azure CDN supports this scenario natively – in worst case you can write rewrite rules to redirect requests to the Blob endpoint with SAS tokens.

Using Azure CDN with SAS

1
votes

You can use SAS (shared access signature)

  • You can keep your blobs in the static website as Private access (only blob owner can access with storage account key)
  • Then you can have simple service to authenticate and authorize your clients (if many) and generate SAS tokens for them to access the blob (web page). This service can also renew the tokens for them.
  • If it's a limited number of people you can generate SAS and simply share a link with clients.

You can do this at the granularity of the blob (web page) so you can authorize some to read some pages, while they can't read others ...etc.