-2

I have an Azure storage account that hosts 20 MB files. Users download the files directly from the storage account, and there is no CDN or anything monitoring the traffic. I'm concerned that users can download mass amounts of data, leading to high egress costs for us. Preferably, I want to use a service that costs less than the amount that we would save by using such service.

There are two possible ways I want to solve this:

  1. Limit an IP to 50 downloads a day. This is ideal but might take some time to set up.
  2. Limit an IP to a reasonable rate, like 5 per second. This sounds like something that Azure DDoS Protection is designed to do, though that service costs a lot.

Is there a good solution to enable us to rate limit downloads to our Azure Storage account?

Would the free tier of Cloudflare work for this use case?

MakotoE
  • 99
  • 3
  • Just an update to our current solution. We decided to use Cloudflare and it drastically reduced our load without needing to pay a cent. It does require some setup but it was well worth it. – MakotoE Nov 26 '22 at 21:32
  • Can you provide more details on how Cloudflare helped you? Thanks! – stefan.at.kotlin Jun 25 '23 at 12:45
  • @stefan.at.kotlin My solution doesn't answer this question, which is why I only left it as a comment. My need for a rate limiter was for cutting costs. While we don't use Cloudflare's rate limiter, we use it as our CDN. What we pay for are egress costs from Azure which is like 1% of what we originally had before Cloudflare. If you are seeking a simple rate limiter, you can also use Cloudflare's paid option. The answer below is for a more complex solution involving user accounts. – MakotoE Jun 25 '23 at 23:10
  • Very interesting with the CDN cost! Just wanted to learn more about Cloudfare, now I did, thanks :-) – stefan.at.kotlin Jun 26 '23 at 16:22

2 Answers2

3

I would suggest looking at Share Access Signatures (SAS). While these can't limit bandwidth, you can set expirations. I would envision doing some sort of application on the front end that would require a user to register before downloading and/or CAPTCHA to eliminate bots from downloading. Then the application will create a near-term expiration SAS token that would essentially allow the user to only download the item once.

Configure a SAS expiration policy for the storage account. A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning. If Azure Storage logging with Azure Monitor is enabled, then an entry is written to the Azure Storage logs. To learn more, see Create an expiration policy for shared access signatures.

https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview

Ken W - Zero Networks
  • 679
  • 3
  • 8
-2

You can't limit download as you write. You are paying for read operation on Storage Account and Networking Transfer (download) - two different services.

Check costs of storage: Storage Account Pricing

Maybe you should use different type of resource for your case - ftp ?

Mski
  • 7