3

In a security audit, the team said currently my storage account is not secure as it has neither Firewall enabled for allowing specific IPs, nor vnet configured.

But my CDN Profile has an endpoint to the storage account. I wonder how would I be able to allow CDN to pass through Firewall.The application is a web app. Anyone has any suggestion on this?

Currently the CDN works only when Allow Access from All networks is enabled.

John
  • 351
  • 5
  • 18
  • To clarify a bit: You have a web app that uses a CDN which is based on an Azure storage endpoint. Your question is: How do I introduce a firewall between the CDN and storage account? Is your desire to prevent any direct public access to the storage account? – KWilson Jun 04 '18 at 13:18
  • @KWilson : Yes, exactly. Allow only web app and CDN to access to Storage account, block any direct access. – John Jun 04 '18 at 13:57

1 Answers1

2

Azure Does Not Currently Support Restricted Service Endpoints for Storage Accounts being used by App Services Web Apps (different story with App Service Environments ASE). So basically you can't block and IP filter the traffic coming into your storage account without explicitly associating it with a VNet in Azure.

App Service Environments are a special kind of App Service configuration that does have your own private VNet. So you could potentially explore this configuration with that approach. (Higher costs)

KWilson
  • 709
  • 5
  • 8
  • 1
    Agree with ASE, but it is not an option due to cost. The question is how to allow CDN when restrict the storage account to firewall/vnet? Under `Firewalls and virtual networks` if I choose Selected network, CDN stop working immediately. Also there is an option to check `Allow trusted Microsoft Services...` and CND is not part of the trusted services. – John Jun 05 '18 at 06:40
  • 1
    @John the Trusted Microsoft Services option is just for some specific services (backup, Event Grid, etc.) I am guessing that the problem you are hitting is that you don't have the IP address ranges for the connections coming from the CDN. That right? If you are using the Azure CDN service with Verizon the ranges are published here: https://msdn.microsoft.com/library/mt757330.aspx – KWilson Jun 05 '18 at 14:16