Azure Networking Storage – Blocking Direct Access to Static Website on Azure Blob Storage and Allow Only Azure Front Door


I have an SPA webapp deployed on Azure Blob Storage which the URL is public. E.g.

I would like to use Azure Front Door with WAF to increase security. Is there a way to block direct access at the blob URL? I googled it and found many answers out there, one of them is to simply allow only AzureFrontDoor.Backend IPs at Storage Account networking configurations. I tried it and it worked.

However, this method still has a loophole as anyone can just create a Front Door and point to my blob URL (if they happen to discover it somehow).

(This might sound dumb): if I proceed with this method and name my storage account randomly, for example, use a trimmed-down random GUID. ( Can this reduce the possibility that someone might discover my URL and bypass security?

Another method that Azure recommends is to check for X-Azure-FDID header that includes the ID of my particular Front Door instance and drop requests that don't contain this header. I asked my developer if this is possible on Vue webapp and he said we would need to include the Front Door ID in the code which runs on client-side thus exposing the ID to public anyway. (This is not Stack Overflow but if someone can suggest anything on this, it would be great)

Another way I found is to use Azure Front Door Premium SKU which supports connecting to Storage Account using Private Link. This is perfect, but it costs a whopping $165 per month. I'd rather deploy my code on App Service instead as it can natively restrict access from Front Door only.

Can anyone suggest any method on how to achieve this?


Best Answer

Checking the X-Azure-FDID header, in combination with the IP restriction is the only way to lock this down currently without going down the private link route. So you would need to get your application code to validate that, given you don't have anything else in-between FD and the storage account.

Whilst having this in your client side code would expose the ID, it doesn't really matter. The IP restrictions mean that your only allow traffic from Front Door instances, and there is no way for an attacker to set that ID on a different FD instance.

Related Topic