#DevHack: Using Azure CDN with SAS on Verizon Premium

February 25, 2021

In the previous article, I explained how you could use the Shared Access Signature (SAS) in Cloudflare. The reason that I use this approach is to make sure the Azure Storage cannot be publicly accessed. Only via a SAS token blobs can be retrieved or updated. If you want to do this for Azure CDN, I pointed to the documentation to configure this, but it seems that it has changed a bit over time.

Info Using Cloudflare to serve your private Azure Storage Blobs

The article I used to configure it on the Verizon CDN was this one which tells you how to hide CDN SAS token using a rewrite rule. You can accomplish this via the Verizon its Rules Engine, which has been updated to version 4 a long time ago. The interface and configuration are a bit different.

Important Before setting your Azure Storage Account not publicly accessible, be sure to configure the rules first and wait until they are provisioned. It can take 4 hours before your rules are provisioned. After the provisioning, you can safely switch the Azure Storage its public access.

Configuring the rewrite rule

When you go to your CDN on the Azure Portal and click on Manage, it will open the Verizon configuration.

On the configuration page, hover over the HTTP Large and click on Rules Engine V4.0.

Rules Engine v4.0
Rules Engine v4.0

You will end up on a page with an overview of all the active policies/rules. Create a new one under Drafts.

New draft policy/rule
New draft policy/rule

Specify the name for your new rule, and click continue. On the Rule builder, you can start creating your new rewrite rule, and this is where it became a bit different.

Click on + Rule and after that, click on +, and choose Match

Create new rule
Create new rule

Set the select category dropdown to General, and the select match dropdown to Always. Click the + under the condition, choose URL for the category, and URL Rewrite for the feature.

In the source input field, add your CDN its internal relative path: /<cdn-ID>/<CDN-name>/(.*).

Info Note the regex at the end. This regex will retrieve everything that comes after the CDN name, and we can use it for the destination input.

In the destination input, add the following: /<cdn-ID>/<CDN-name>/$1?sv=2020-02-10&ss=b&srt=o&sp=r&se=2021-02-23T17:24:39Z&st=2021-02-23T09:24:39Z&spr=https&sig=<token>. Replace everything after $1 with your own SAS token from the Azure Storage Account.

Info The $1 placeholder will be replaced automatically by the CDN with the value from the regex in the source URL.

Source and destination configuration for rewrite
Source and destination configuration for rewrite

Click on Lock Draft as Policy, which brings you to create the policy deployment screen. Select your environment (Production), add a message, and click on Create Deploy Request.

Create Deploy Request
Create Deploy Request

Now the CDN will start the deployment and will notify if it succeeded.

Waiting on deployment
Waiting on deployment

Important Once this process is completed, make sure you wait a couple of hours before the new policy/rule is implemented on all nodes. Documentation tells you that this process can take up to 4 hours.

Comments

comments powered by Disqus