Azure cdn IP address restriction possible?

Question

I am just about to build a new cloud in azure to be used as image server for multiple websites. I created is a storage, endpoint, cdn - all working well. I set up an Ubuntu host in the middle that will be used to resize images from original size in the storage accordingly to the request parameters in the URL, using apache2 and php.

If I would want to restrict access to only one IP - where would I do this?

Answer 1

If you use the new Azure Premium CDN offering (available as of Dec.2015), you can make IP-based rules.

1. Go to the Azure RM (portal.azure.com) management portal
2. Create a Premium Azure CDN endpoint
3. Click the "Manage" icon to be taken to the cdn.windowsazure.com management console
4. On the Rules Engine tab, you can create rules based on Client IP Addresses.
5. For your scenario, you could consider a rule such as: IF (your servers IP address) Features > Deny Access (403) (Enabled)

Please see https://azure.microsoft.com/en-us/documentation/articles/cdn-rules-engine-details/ for a full rules reference.

Answer 2

Tips that if serving images from Ubuntu Host, you can try to use the iptables to control the network traffic, please see the Ubuntu community doc https://help.ubuntu.com/community/IptablesHowTo.

Answer 3

Azure's CDN is public, without IP-filtering. Azure Storage (direct access to blobs, without the CDN) may have both public and private links, and you may grant temporary access to private blobs with a shared access signature - again, no IP-level filtering.

If you serve your images from your linux VM, then you may set up inbound rules to filter traffic based on IP ranges, by setting up Access Control Lists (ACLs).