05 Secure with HTTPS - Azure
To enable HTTPS access with a custom domain mapping to the static website published on an Azure storage account you need to use Azure CDN as a service. This will create an HTTPS frontend on the Azure CDN service that you can use to access your website.
Terraform¶
The following Terraform IaC will:
- CDN Profile
- Name:
${lower(random_string.this.result)}-${lower(var.environment)}-cdn-profile - SKU: Standard Microsoft
- Name:
- CDN Endpoint
- Name:
${lower(random_string.this.result)}-${lower(var.environment)}-cdn-endpoint - HTTP is not allowed
- HTTPS is allowed
- Origin:
azurerm_storage_account.this.primary_web_endpoint - Rule: EnforceHTTPS
- Name:
- Azure DNS CNAME record
- Name:
azure-resume - Zone:
grinntec.net - Target resource:
azurerm_cdn_endpoint.this.id
- Name:
Azure Portal¶
In Azure portal browse to the storage account, then under security and networking select Azure CDN. Create a New Endpoint CDN profile and choose your options based on below.
OBS! Make sure you select the correct
Origin Hostnamefrom the list. it defaults toBlobbut you needStatic Website.
| Setting | Value |
|---|---|
| CDN Profile Name | Give your profile a name, you could use the storage acount name and append {NAME}-cdn-profile |
| CDN Endpoint name | Enter a name for the endpoint. It must be globally unique. So choosing the same method as the profile name could be a good idea. For example {NAME}-cdn-endpoint |
| Origin Hostname | From the list make sure you select the static website and not blob |
| Pricing tier | Select any pricing tier that suits you. More details can be found here. For testing choose Microsoft CDN Classic (Standard Microsoft) |
| Query string caching behavior | Choose the caching behavior best suited, for this work I choose to ignore query strings to keep it simple. |
Endpoints
The endpoint will have a different URL to the blob static website. A storage account static website will have a URL of https://{NAME}.web.core.windows.net. An Azure CDN endpoint will have a URL of https://{NAME}.azureedge.net.
The new CDN endpoint URL may return a blank page for the first few minutes as the edge location first needs to recieve a copy of the website before it can serve it.
Origin
The CDN endpoint hosts a local cache of the origin which in this case is the storage account website.
Make sure you are pointing to the
Storage Static Websiteorigin and not the justStorage
Add HTTP > HTTPS rule¶
To ensure that only HTTPS is supported you can add a rule to the endpoint that performs a simple redirect. This ensure that only HTTPS is served via the endpoint. It can also be useful for a situation whereby you have moved from HTTP to HTTPS and have a system with lots of HTTP URI hardcoded. This rule would allow you to keep those URI as-is and simply change the protocol in transit saving a lot of re-work.
In the endpoint go to the Rule engine section and choose add rule.
Condition
If Request Protocol
- Operator = [Equals]
- Value = [HTTP]
Action
Then URL redirect
- Type - [Found (302)]
- Protocol - [HTTPS]
{{% alert title="Status" %}} At this stage, you have an Azure Storage static website being used as an origin for an Azure CDN profile which is accessible over the default URL of
https://{NAME}.azureedge.net
{{% /alert %}}
References¶
Configure HTTPS on an Azure CDN custom domain