Azure Front Door Private link integration for Azure storage static website

Question

We have a React app hosted in a storage account (with static website enabled). We have a Azure Front door in front of the storage account.

We are looking at ways to limit access to the storage account, to ensure that only the Azure Front Door could read from it.

We put the storage account in a VNet and tried setting up a private link to allow Azure Front Door access to it. But when setting up the Azure FD profile, we get an error saying The origin type or host name does not support private link.

Is there a way to secure the storage account in a VNet and allow Azure FD access to it? Or is there a better way to secure this?

Answer 1

• Yes, you surely can secure the connection from the Azure Front door to the storage account deployed in a virtual network, to be specific, to a static website hosted in it. For that purpose, you will have to deploy an Azure front door in classic tier and configure the frontend domain hostname as ‘xyzfd.azurefd.net’ and the backend pool hostname target as FQDN ‘storageaccountname.z29.web.core.windows.net’ as shown below as well as enable the routing rules for this configuration by selecting the accepted protocol and the frontend domain for this routing request: -

Once done, ensure to create a DNS zone and create the requisite ‘A’ host DNS records in it pertaining to the custom domain that is registered as the frontend domain/hostname in the Azure front door and similarly create a CNAME record for the same hostname/domain name with the alias being the static website primary endpoint as shown above.

• This will ensure that secure access to the static website is configured through the DNS records registered as above and are accessible through them.

For more information, kindly refer to the below links: -

https://docs.rackspace.com/blog/Azure-Front-Door-Storage-Static-Website/