Azure-storage static website access permissions

4
votes

I have a static website on Azure blob storage like written here.

The website works fine, no issues. However the access rights to the website is an issue.

The access level of the storage container is private, and does not allow anyone to view what's stored inside.

However, the hosted website is completely public.

How can I restrict access to the website? I only want a few people which I authorize to have access to the website.

Thanks

2
azureazure-web-app-service

2 Answers

5
votes

The hosted static website on Azure storage account is completely public. Currently, we're not able to do it more. However, you could host your static website as the blob in the container with private access, then access them with SAS. A shared access signature (SAS) provides you with a way to grant limited access to objects in your storage account to other clients, without exposing your account key.

Steps:

  1. Upload your website's files in the blob.
  2. Switch to location container/webpage, click ... on some blob. enter image description here
  3. Modify some SAS parameters such as permission or time, allowed IP address to grant limited access to this blob, Click Generate blob SAS token and URL. enter image description here
  4. Then you can access the webpage with blob SAS token or URL. Just share the URL with your users.

The above example is for using blob level SAS, if you have many webpages or blobs in the container, you could use account level SAS from storage account panel->Settings-> Shared access signature on the Azure portal.

Moreover, you also could configure a CDN endpoint to hit a private Blob container with SAS token referring to using Azure CDN with SAS. You could refer to this similar case.

0
votes

Another way to restrict access is to use "Networking" settings of your storage resource.

I needed to

  • allow access to members of our company's network
  • disallow any public access.

In our company, all devices are behind a NAT with a central, outbound IP adress.

I use an Azure "StorageV2" storage to host a static site generated with Vuepress.
(side note for those who come here by searching for static site keywords: you need to activate static site hosting by clicking on "Static website" in the menu of your storage resource to activate it. That seems to be available only for StorageV2 storages, not for Blob storage)

The generated URL [myuniquename].[2chars].web.core.windows.net is only available within the company by doing the following (by today, March 2021):

Azure's steps when creating a new StorageV2 resource are divided into six steps:
Basics -> Networking -> Data protection -> Advanced -> Tags -> Review + create.

In step two, Networking, within "Connectivity method"

  1. select "Public endpoint (selected networks)"
  2. leave "Virtual network" set to "none"
  3. leave "Routing preference" to "Microsoft network routing (default)"
  4. leave all other settings with their default (worked for me)

After storage creation, go to your new storage resource (find it via Home button, should be listed under "Recent resources"). From the menu on the left

  1. select "Networking"
  2. within "Firewall" click the checkbox "Add your client IP address (should show your IP address)".
    Only do this, if you are within your company's network!
  3. Click "Save". I needed to click save twice, i.e. that save button turned grey only after second save. Whatever that means, just make sure.

Of course that might not work for other company networks. I am not too savvy with network administration.