2

The goal is to have single address (static.example.com) to access static resources from multiple storage accounts with dynamic access control (based on IP Range).

static.example.com/resource-1/... - accessible to all users and served via CDN
static.example.com/resource-2/... - accessible to all users and served via CDN
static.example.com/resource-3/... - accessible only to internal users
static.example.com/resource-4/... - accessible only to internal users
static.example.com/resource-5/... - accessible only to internal users
static.example.com/resource-6/... - accessible only to internal users

Constraints:

  • resources available for users from internal network must be served under same hostname static.example.com
  • resources available for users from internal network must be stored in different storage account

Highlighted area in the diagram below marks the place for Azure Service(-es) to be used. The question is what Azure Services (and how) could be used to achieve described requirements?

Any help or advice is appreciated.

Solution diagram for prod and non-prod access

minijus
  • 53
  • 7
  • I would probably try either API Management or Function Proxies https://www.serverless360.com/blog/azure-function-proxies – silent Mar 09 '20 at 17:07
  • @silent Thanks for the idea, I will investigate these options. I just wonder if Function Proxy will make CDN obsolete. Basically, user instead of downloading resource from geographically close POP will always download from location where Function is hosted. And having this in mind and the requirements, is it even possible to have such type of routing with access control and still get benefits of CDN. – minijus Mar 09 '20 at 18:54
  • hm probably not. Thinking further about this, you might be able to use Azure Frontdoor. There is caching (on the Edge nodes) built-in. You would need to check if that would work with your file sizes – silent Mar 09 '20 at 19:27
  • Thank you @silent. AFD look very promising, I will give it a try and in case I manage to achieve desired requirements with AFD, I will update the topic with the answer. – minijus Mar 10 '20 at 09:36

2 Answers2

0

You need Azure CDN :)

Azure CDN can do Path based routing: https://learn.microsoft.com/en-us/previous-versions/azure/mt757336(v=azure.100)?redirectedfrom=MSDN#url

Azure CDN can do IP filtering: https://learn.microsoft.com/en-us/previous-versions/azure/mt757336(v=azure.100)?redirectedfrom=MSDN#match-conditions

Carlos Garcia
  • 2,771
  • 1
  • 17
  • 32
0

You can easily achieve the desired scenario using the Azure Application Gateway (AAGW).

I have done a similar scenario, which is a little more complex than this one. That also had an Azure Traffic Manager sitting in front. You can use the URL Routing and Redirection in AAGW to achieve the outcome.

https://learn.microsoft.com/en-us/azure/application-gateway/url-route-overview

https://learn.microsoft.com/en-us/azure/application-gateway/redirect-overview

The Bahree
  • 53
  • 1
  • 10