Integrate an Azure Storage account with Azure Front Door

  • Article

Azure Front Door can be used to deliver high-bandwidth content by caching blobs from Azure Storage. In this article, you create an Azure Storage account and enable Front Door to cache and accelerate content from Azure Storage.

Prerequisites

Sign in to the Azure portal

Sign in to the Azure portal with your Azure account.

Create a storage account

A storage account provides access to Azure Storage services. It represents the highest level of the namespace for accessing each Azure Storage service component: Azure Blob, Queue, and Table storage. For more information, see Introduction to Microsoft Azure Storage.

  1. In the Azure portal, select + Create a resource in the upper left corner. The Create a resource pane appears.

  2. On the Create a resource page, search for Storage account and select Storage account from the list. Then select Create.

    Screenshot of creating a storage account.

  3. On the Create a storage account page, enter or select the following information for the new storage account:

    Setting Value
    Resource group Select Create new and enter the name AFDResourceGroup. You can also select an existing resource group.
    Storage account name Enter a name for the account using 3-24 lowercase letters and numbers only. The name must be unique across Azure and becomes the host name in the URL used to address blob, queue, or table resources for the subscription. To address a container resource in Blob storage, use a URI in the following format: http://<storageaccountname>.blob.core.windows.net/<container-name>.
    Region Select an Azure region closest to you from the drop-down list.

    Leave all other settings as default. Select the Review tab, select Create, and then select Review + Create.

  4. The creation of the storage account can take a few minutes to complete. Once creation is complete, select Go to resource to go to the new storage account resource.

Enable Azure Front Door CDN for the storage account

  1. From the storage account resource, select Front Door and CDN under Security + networking in the left menu.

    Screenshot of creating an AFD endpoint.

  2. In the New endpoint section, enter the following information:

    Setting Value
    Service type Select Azure Front Door.
    Create new/use existing profile Choose to create a new Front Door profile or select an existing one.
    Profile name Enter a name for the Front Door profile. If you selected Use existing, choose from the available profiles.
    Endpoint name Enter your endpoint hostname, such as contoso1234. This name is used to access your cached resources at the URL <endpoint-name + hash value>.z01.azurefd.net.
    Origin hostname By default, a new Front Door endpoint uses the hostname of your storage account as the origin server.
    Pricing tier Select Standard for content delivery or Premium for content delivery with security features.
    Caching Optional - Toggle on to enable caching for your static content. Choose an appropriate query string behavior and enable compression if needed.
    WAF Optional - Toggle on to protect your endpoint from vulnerabilities, malicious actors, and bots with Web Application Firewall. Use an existing policy from the WAF policy dropdown or create a new one.
    Private link Optional - Toggle on to keep your storage account private, not exposed to the public internet. Select the region that matches your storage account or is closest to your origin. Choose blob as the target subresource.

    Screenshot of the caching, WAF, and private link settings for an endpoint.

    Note

    • With the Standard tier, you can only use custom rules with WAF. To deploy managed rules and bot protection, choose the Premium tier. For a detailed comparison, see Azure Front Door tier comparison.
    • The Private Link feature is only available with the Premium tier.

  3. Select Create to create the new endpoint. After creation, it appears in the endpoint list.

    Screenshot of a new Front Door endpoint created from a Storage account.

Note

  • The endpoint list will only show Front Door and CDN profiles within the same subscription.

Extra features

From the storage account Front Door and CDN page, select the endpoint from the list to open the Front Door endpoint configuration page. Here, you can enable other Azure Front Door features such as the rules engine and configure traffic load balancing.

For best practices, refer to Use Azure Front Door with Azure Storage blobs.

Enable SAS

To grant limited access to private storage containers, use the Shared Access Signature (SAS) feature of your Azure Storage account. A SAS is a URI that grants restricted access rights to your Azure Storage resources without exposing your account key.

Access CDN content

To access cached content with Azure Front Door, use the Front Door URL provided in the portal. The address for a cached blob follows this format:

http://<endpoint-name-with-hash-value>.z01.azurefd.net/<myPublicContainer>/<BlobName>

Note

After enabling Azure Front Door access to a storage account, all publicly available objects are eligible for Front Door POP (Point-of-presence) caching. If you modify an object that is currently cached in Front Door, the new content won't be available until Front Door refreshes its content after the time-to-live period expires.

Add a custom domain

Using a custom domain with Azure Front Door allows your own domain name to be visible in end-user requests, which can enhance customer convenience and support branding efforts.

To add a custom domain:

  1. Navigate to the storage account Front Door and CDN* page.

  2. Select View custom domains for the Azure Front Door endpoint.

  3. On the domains page, add a new custom domain to access your storage account.

For detailed instructions, see Configure a custom domain with Azure Front Door.

Purge cached content from Azure Front Door

If you no longer want to cache an object in Azure Front Door, you can purge the cached content.

  1. Navigate to the storage account Front Door and CDN page.

  2. Select the Azure Front Door endpoint from the list to open the Azure Front Door endpoint configuration page.

  3. Select on the Purge cache option at the top of the page.

  4. Select the endpoint, domain, and path you want to purge.

Note

An object already cached in Azure Front Door will remain cached until the time-to-live period expires or until you purge the endpoint.

Clean up resources

In the preceding steps, you created an Azure Front Door profile and an endpoint in a resource group. If you no longer need these resources, you can delete them to avoid incurring charges.

  1. In the Azure portal, select Resource groups from the left-hand menu, then select AFDResourceGroup.

  2. On the Resource group page, select Delete resource group. Enter AFDResourceGroup in the text box, then select Delete. This action deletes the resource group, profile, and endpoint created in this guide.

  3. To delete your storage account, select the storage account from the dashboard, then select Delete from the top menu.

Next steps