By whitelisting the IP range for CDN it means that any CDN account can get through the firewall yes, but it doesn't mean they can access your content. Unless you make your storage acccount anonymously accessible (don't do that) then they would still need a storage account key to access the data.
Accessing a network restricted storage account through a CDN
I want to access a network restricted (ie. firewall enabled) storage account from the CDN endpoint attached to the storage account. What I keep finding is that you have to whitelist the CDN ips so the CDN servers can get through the firewall. Doesn't this mean that anyone using the CDN servers can access the storage account though? Is that secure? I could whitelist the CDN ips and then make all my containers private and just use a sas token, but that seems like a hassle trying to remember to make/keep all the containers' access levels private.
2 answers
Sort by: Most helpful
-
-
SaiKishor-MSFT 17,231 Reputation points
2022-10-24T20:27:05.783+00:00 @Clay Casper Thank you for reaching out to Microsoft Q&A. Please refer to this document about retrieving current POP IP List for Azure CDN- https://video2.skills-academy.com/en-us/azure/cdn/cdn-pop-list-api
Configure IP ACLing for your backends to accept traffic from Azure CDN from Microsoft's backend IP address space and Azure's infrastructure services only.
Use the AzureFrontDoor.Backend service tag with Azure CDN from Microsoft to configure Microsoft's backend IP ranges. For a complete list, see IP Ranges and Service tags for Microsoft services HERE- https://www.microsoft.com/en-us/download/details.aspx?id=56519
This is the only way to achieve this right now as the CDN IPs can keep changing from time to time, it is not a good idea to restrict it to specific IP address range. Hope this helps.
Please let us know if you have any more questions and we will be glad to assist you further. Thank you!
Remember:
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.