Accessing a network restricted storage account through a CDN

Clay Casper 166 Reputation points
2022-10-11T13:45:09.293+00:00

I want to access a network restricted (ie. firewall enabled) storage account from the CDN endpoint attached to the storage account. What I keep finding is that you have to whitelist the CDN ips so the CDN servers can get through the firewall. Doesn't this mean that anyone using the CDN servers can access the storage account though? Is that secure? I could whitelist the CDN ips and then make all my containers private and just use a sas token, but that seems like a hassle trying to remember to make/keep all the containers' access levels private.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,149 questions
Azure Content Delivery Network
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sam Cogan 10,582 Reputation points MVP
    2022-10-11T16:47:09.887+00:00

    By whitelisting the IP range for CDN it means that any CDN account can get through the firewall yes, but it doesn't mean they can access your content. Unless you make your storage acccount anonymously accessible (don't do that) then they would still need a storage account key to access the data.

  2. SaiKishor-MSFT 17,231 Reputation points
    2022-10-24T20:27:05.783+00:00

    @Clay Casper Thank you for reaching out to Microsoft Q&A. Please refer to this document about retrieving current POP IP List for Azure CDN- https://video2.skills-academy.com/en-us/azure/cdn/cdn-pop-list-api

    Configure IP ACLing for your backends to accept traffic from Azure CDN from Microsoft's backend IP address space and Azure's infrastructure services only.

    Use the AzureFrontDoor.Backend service tag with Azure CDN from Microsoft to configure Microsoft's backend IP ranges. For a complete list, see IP Ranges and Service tags for Microsoft services HERE- https://www.microsoft.com/en-us/download/details.aspx?id=56519

    This is the only way to achieve this right now as the CDN IPs can keep changing from time to time, it is not a good idea to restrict it to specific IP address range. Hope this helps.

    Please let us know if you have any more questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.