Azure CDN on custom domain with HTTPS access and SIP parameter in SAS token uses the incorrect IP address

Bas Breijer 0 Reputation points
2024-08-30T08:26:39.3866667+00:00

In april 2024 we encountered an issue where accessing a CDN on custom domain with HTTPS access and SIP parameter in SAS token uses the incorrect IP address always lead to a 401 response.

Therefore i started support case 2404240050004042.

The SAS-token evaluation uses the internal IP address of the AFD instead of the actual client IP address. After a lot of calls and e-mails it turns out that there is no work around or additional header/setting to have the SAS token IP address evaluation use the actual client IP address.

Therefore the IP restriction on the SAS token is useless in the case where a CDN is behind a AFD (as documented to be the only possibility if you require HTTPS).

Could you add a custom header to the SAS token IP evaluation which can be added by the AFD rules engine to allow the actual client IP to be used?

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
688 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ganesh Patapati 1,270 Reputation points Microsoft Vendor
    2024-08-30T17:05:44.89+00:00

    Hi Bas Breijer,

    Greetings of the day!

    It sounds like you've encountered an issue with SAS token evaluation and IP restrictions when using an Azure Front Door (AFD) in front of your CDN. It's unfortunate that there's currently no workaround or setting to have SAS token IP address evaluation use the actual client IP.

    While there is currently no built-in workaround or additional header/setting to address this issue, there are a few potential solutions you could explore:

    1. Request Feature Enhancement: You could submit a feature request to the Azure team to add a custom header to the SAS token IP evaluation that can be used by the AFD rules engine to allow the actual client IP address to be used. This would provide a more flexible solution for scenarios where HTTPS access and IP restrictions are required.
    • As this something which is not supported. We encourage customers to create a feedback item for this request on the feedback forum

    https://feedback.azure.com/d365community

    Looking forward to your response and appreciate your time on this.

    If the response above addresses your question, please consider clicking "Accept Answer" and "Upvote It".

    This way, others in the community who might have similar concerns can easily discover the solution.

    Your feedback is greatly valued!

    Regards,

    Ganesh Patapati

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.