4

We have VAPT findings to add a storage account to private endpoint.

Storage account is used by Azure CDN as origin.

After adding endpoint the Azure CDN cannot access and gives error with an XML page.

How to access storage account with private endpoint from Azure CDN?

Apurv Mishra
  • 65
  • 1
  • 7

2 Answers2

3

You need to give access over the firewall. For Microsoft CDN (classic) that would be the following range 147.243.0.0/16 as found in the Microsoft documentation.

NotFound
  • 5,005
  • 2
  • 13
  • 33
  • Does simply adding the IP work? Or do we have to use the service tag for Azure CDN (AzureFrontDoor.Backend)? I tried adding the tag to the inbound rules of the NSG corresponding to the private endpoint but that didn't work. – zane May 16 '22 at 05:40
  • It is on the classic tier. This is the command I used in az CLI. `az network nsg rule create -g ResourceGroupName --nsg-name NetworkSecurityGroupName -n RuleName--priority 200 --source-address-prefixes AzureFrontDoor.Backend --direction Inbound --access Allow --protocol * --description "Allow Azure CDN to NSG"`. This still gave me the access restricted error. But whitelisting the IP address worked. – zane May 16 '22 at 11:09
  • 1
    @Mehnaz you are correct. The newly updated Microsoft documentation threw me off with the newly added tag. You'll need to configure the firewall on the storage account itself. The private DNS zone is only used by the attached virtual networks and the CDN doesn't reside inside your vnet, thus it won't use the private endpoint. – NotFound May 17 '22 at 08:28
1

if you've placed your storage account in a private link then i imagine you probably want to protect its content from unwanted access.

i think @travisez13's solution would allow anything running in azure to access the storage account directly, assuming they could guess the names.

i think you may want to try this approach instead: https://learn.microsoft.com/en-us/azure/cdn/cdn-sas-storage-support

dididothat
  • 19
  • 2