Using a SAS token from Frontdoor to Storage

Why you might want to read this article

If your interested in a discussion about How to use a SAS token from Azure Frontdoor to Azure Storage then the below article will discuss this approach and its implementation.

Background

If you have built a typical web application using an Azure platform as a service solution then as enhancements to Azure have evolved over recent years you have more options available to lock down your solution more than you had a few years ago.

One example of a thing companies often like to do is to restrict access to the storage accounts.

In the example reference architecture below you would be using Azure Frontdoor as an entry point to your application. The requests from a user would then be routes to an Azure Web App for dynamic content and if you have static content such as images you would route it to a storage account where the images would be stored.

In this scenario for a PaaS solution you would likely have the storage account accessible from the web app via either a managed identity or an access key for read/write operations but for the CDN to be able to access images you would have a storage account configured with blob level access so the Frontdoor can access the images.

If we consider the perspective of an attacker who might want to access the content in your storage account the attacked might try to check if you have the storage account set to public with a container access policy. This would allow them to index the list of files in the storage container then they could use the url for each file to download them.

Changing the Storage Container to Blob Access

Step 1 is to make sure as a minimum you configure the container to blob rather than container access. This would then limit an attacker to be able to only access a file if they knew the full path.

The below diagram shows the effect of changing storage from container to blob access.

The next question is how can you take this further and try to limit access to the storage account even more.

Changing the Container to Private

If you want to change the access policy of the storage account from container to private then you need to provide an authentication scheme. You are already doing this for the web app using either a managed identity or key but the challenge is how to do it from the Frontdoor. Ideally you would like to do this with a Managed Identity which is currently in preview for Frontdoor but at the moment this is only supporting the use case of getting a certificate for Frontdoor from Key Vault and not injecting the auth header onto a downstream request, so in this case we would want to try and inject a sas token on the route of the call to storage.

The aim would be to get to the stage shown below.

At this point I want to inject a sas token in my Frontdoor rule on the url rewrite action but I couldnt workout how to do it so I got some help from Shashanka Malladi and Nikhil Singhal on the product group teams who gave me some advice on using some of the server variables on Frontdoor.

You can find out more about Nikhil and Malladi on the below links:

Nikhil Singhal – https://www.linkedin.com/in/nikhil-singhal-56933963

Shashanka Malladi – https://www.linkedin.com/in/shashankamalladi/

It turns out you could leverage the {url_path} variable to access the original inbound address. I could modify the address ok but was struggling with how to reference the inbound path to append the sas token on the end of it. Below is the rule I ended up using.

My rule looks like below:

Preserve Unmatched Path = No
Source = /
Destination = /{url__path}?sp=r&st=2023-05-19T12:25:04Z&se=2099-05-19T20:25:04Z&spr=https&sv=2022-11-02&sr=...

I can now change the storage account to private so it will only allow you to access a file if you have an authenticated request.

Note the sas token I used was setup to only allow read of a file from the specific container I want to expose with images for my web app.

At this point we now only allow authenticated requests to the storage account so our attacker is blocked on accessing the image directly from the storage account.

Summary

In this post I wanted to focus on implementing a sas token between Frontdoor and Storage to require authentication to my storage account. You can take things further with this kind of architecture if you wanted to implement a Private Link from Frontdoor to Storage and Private Endpoints and VNet integration between the Web App and Storage. This would take you to the below position and if this is something readers would be interested in I can do more posts about this kind of area.