Reputation: 3631
Is it bad to open public network access for Blob storage that is hosting static website?
I have uploaded my ReactJS SPA to Blob storage and I have enabled static website hosting.
Now I have this Primary endpoint url: https://myapp1.z11.web.core.windows.net/ and I can view the website with it.
However, in order for my website to be accessible by customers, I must do "Enabled from all networks" in the "Public network access" section of networking configurations.
What does it mean to make it public? Does it mean the files stored in the container are all available for downloading from the public internet? Or does it only mean that the static website is accessible from the public?
Is this a bad practice to make it public? What are the risks?
I have tried to put Azure FrontDoor in front of the Blob Storage static website. However, here are the problems:
I still need to enable Public network access for all networks in the blob storage, to allow the frontdoor to access the website.
If I wish to keep the Blob private instead of public, It is recommended to use private link with FrontDoor Premium. However the Premium is too expensive and it is absolutely ruled out.
Azure should provide a simple way to make Blob storage hosting a static website private, and allow traffic only from a standard / classic FrontDoor instance. AWS provides such features with their CloudFront and S3 bucket, they are really handy.
FrontDoor provides protections against XSS and DDoS, which Blob storage static website does not provide.
Upvotes: 0
Views: 1693
Answers (1)
Reputation: 5570
Created blob storage enabled static website to have a Primary endpoint URL: https://XXXXX.z13.web.core.windows.net/ that I can view the website with it.
While enabling Public network access means that your website is accessible from the public internet. It doesn't mean that the files in the container can be downloaded directly through the Blob storage URL from the public internet. The content can be accessed and retrieved by anyone.
Making your website public as various risks, unauthorized access It could be risky, if the container contains private or any sensitive information you don't want to access anyone else.
In Azure Front Door does provide additional benefits as DDoS attacks If you want to keep the Blob private you should use private link with Front Door Premium only. In your case Premium is too expensive you can make use of other services like azure CDN Content Delivery Network or Application gateway.
Alternatively, you can use selected networks option under the public network access:
Create a network access rule to whitelist the virtual networks and IP addresses that are allowed to access your static website hosted in Blob storage:
This way, only users or services within the specified networks or with the designated IP addresses would be able to access the website. you can check similar issue of So thread by Kartik Bhiwapurkar
References:
Azure on the Cheap - Azure Storage Static Website and Azure Front Door by jeffrey chilberto
Running an Azure Storage Static Site, protected by Azure Front Door -Azure Readiness Starts Here
Upvotes: 0
Related Questions
- Hosting multiple static websites on Azure Blob Storage
- How to add restirction that only Azure CDN can access the static website in storage accounts container. No direct access of static website blob URL
- Possible options for hosting static website on azure storage
- Serve public images from Blob Storage via Private Link
- Restrict Frontdoor url only for office network or setup basic auth on storage blob service
- Connecting Blob Storage to a Synapse Workspace with Public Network Workspace Access Disabled
- Azure-storage static website access permissions
- IP filtering for static web hosted endpoint through Azure blob storage
- Static website in Azure Blob Storage: How to enable Azure AD Authentication?
- Whats the benefit of using Azure Static Websites vs Blob storage?