|
| 1 | +--- |
| 2 | +title: Hosting static content in Azure Blob Storage |
| 3 | +weight: 210 |
| 4 | +toc: true |
| 5 | +url: /nginxaas/azure/quickstart/hosting-static-content-blob-storage/ |
| 6 | +type: |
| 7 | +- how-to |
| 8 | +--- |
| 9 | + |
| 10 | +F5 NGINXaaS for Azure (NGINXaaS) can serve static content stored in Azure Blob Storage using private endpoints, ensuring maximum security by keeping your storage account completely inaccessible from the public Internet. This approach also eliminates the configuration payload size limitations of local hosting. |
| 11 | + |
| 12 | +## Before you begin |
| 13 | + |
| 14 | +- [An Azure Storage Account](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create) |
| 15 | +- [An NGINXaaS for Azure deployment]({{< ref "/nginxaas-azure/getting-started/create-deployment" >}}) |
| 16 | +- [A virtual network with available subnet space for private endpoints](https://learn.microsoft.com/en-us/azure/virtual-network/quick-create-portal) |
| 17 | +- Static content files to serve |
| 18 | + |
| 19 | +## Configure Azure Blob Storage |
| 20 | + |
| 21 | +### Upload static files to a container |
| 22 | + |
| 23 | +Upload your static files to a container in your storage account. In this example, we'll use a container named `content`. |
| 24 | + |
| 25 | +### Disable public network access |
| 26 | + |
| 27 | +1. In your storage account, navigate to **Networking** under **Security + networking**. |
| 28 | +1. Under **Public network access**, select **Disable**. |
| 29 | +1. Click **Save**. |
| 30 | + |
| 31 | +### Disable anonymous blob access |
| 32 | + |
| 33 | +1. In your storage account, navigate to **Configuration** under **Settings**. |
| 34 | +1. Find the **Allow Blob anonymous access** setting and set it to **Disabled**. |
| 35 | +1. Click **Save**. |
| 36 | + |
| 37 | +### Set container access level to private |
| 38 | + |
| 39 | +1. Navigate to **Containers** under **Data management**. |
| 40 | +1. Select your container (for example, `content`). |
| 41 | +1. Click **Change access level**. |
| 42 | +1. Set **Anonymous access level** to **Private (no anonymous access)**. |
| 43 | +1. Click **OK**. |
| 44 | + |
| 45 | +### Create a new subnet for private endpoint NICs |
| 46 | + |
| 47 | +1. Navigate to your virtual network where NGINXaaS is deployed. |
| 48 | +1. Go to **Subnets** under **Settings**. |
| 49 | +1. Click **+ Subnet**. |
| 50 | +1. Create a new subnet which will be used to assign IP address to your Private Endpoint NIC. |
| 51 | +1. Make a note of the subnet name for the next step. |
| 52 | + |
| 53 | +### Create a private endpoint |
| 54 | + |
| 55 | +1. In your storage account, navigate to **Networking** under **Security + networking**. |
| 56 | +1. Go to the **Private endpoint connections** tab. |
| 57 | +1. Click **+ Private endpoint**. |
| 58 | +1. Configure the private endpoint: |
| 59 | + - **Name**: Provide a descriptive name for the private endpoint |
| 60 | + - **Network Interface Name**: Provide a name for the network interface |
| 61 | + - **Target sub-resource**: Select **blob** |
| 62 | + - **Virtual network**: Select the same virtual network as your NGINXaaS deployment |
| 63 | + - **Subnet**: Select the subnet created in the previous step |
| 64 | + - **Private DNS integration**: Enable this option to automatically create DNS records |
| 65 | + |
| 66 | +### Generate a Shared Access Signature (SAS) token |
| 67 | + |
| 68 | +1. In your storage account, navigate to **Shared access signature** under **Security + networking**. |
| 69 | +1. Configure the SAS token with minimal required permissions: |
| 70 | + - **Allowed services**: Check **Blob** |
| 71 | + - **Allowed resource types**: Check **Object** |
| 72 | + - **Allowed permissions**: Check **Read** only |
| 73 | + - **Start and expiry date/time**: Set appropriate validity period |
| 74 | + - **Allowed protocols**: Select **HTTPS only** |
| 75 | +1. Click **Generate SAS and connection string**. |
| 76 | +1. Copy the **SAS token** (the part starting with `?sv=`). |
| 77 | + |
| 78 | +{{< call-out "important" >}}Store the SAS token securely and regenerate it regularly according to your security policies. Grant only the minimum permissions required for your use case.{{< /call-out >}} |
| 79 | + |
| 80 | +## Configure NGINXaaS |
| 81 | + |
| 82 | +Create an NGINX configuration that uses the private endpoint and SAS token to access your Azure Blob Storage. The following NGINX config points to the `content` directory with `/static/` location and uses the SAS token from the previous step to authorize requests to blob storage. The resolver is set to 168.63.129.16 which is the Azure internal DNS IP. It doesn't change. It resolves the storage account endpoint to the private endpoint IP configured earlier. |
| 83 | + |
| 84 | +```nginx |
| 85 | +user nginx; |
| 86 | +worker_processes auto; |
| 87 | +worker_rlimit_nofile 8192; |
| 88 | +pid /run/nginx/nginx.pid; |
| 89 | +
|
| 90 | +error_log /var/log/nginx/error.log error; |
| 91 | +
|
| 92 | +http { |
| 93 | + upstream storage_origin { |
| 94 | + server your-storage-account.blob.core.windows.net:443; |
| 95 | + keepalive 32; |
| 96 | + } |
| 97 | + resolver 168.63.129.16 valid=10s; |
| 98 | + server { |
| 99 | + listen 443 ssl; |
| 100 | + set $sas_token '?sv=YYYY-MM-DD&ss=b&srt=o&sp=r&se=YYYY-MM-DDTHH:MM:SSZ&st=YYYY-MM-DDTHH:MM:SSZ&spr=https&sig=YOUR_SAS_SIGNATURE_HERE'; |
| 101 | + ssl_certificate /etc/nginx/example.cert; |
| 102 | + ssl_certificate_key /etc/nginx/example.key; |
| 103 | + location /static/ { |
| 104 | + rewrite ^/static/(.*)$ /content/$1 break; |
| 105 | + proxy_pass https://storage_origin$uri$sas_token; |
| 106 | + proxy_set_header Host your-storage-account.blob.core.windows.net; |
| 107 | + proxy_http_version 1.1; |
| 108 | + proxy_set_header Connection ""; |
| 109 | + } |
| 110 | + } |
| 111 | +} |
| 112 | +``` |
| 113 | + |
| 114 | +{{< call-out "important" >}}Replace the following placeholders: |
| 115 | +- `your-storage-account` with your actual storage account name |
| 116 | +- `YOUR_SAS_SIGNATURE_HERE` with your actual SAS token signature |
| 117 | +- Update the SAS token parameters according to your generated token{{< /call-out >}} |
| 118 | + |
| 119 | +### Configuration breakdown |
| 120 | + |
| 121 | +{{<table>}} |
| 122 | +| Directive | Description | |
| 123 | +|------------|-------------| |
| 124 | +| **upstream storage_origin** | Defines the Azure Blob Storage endpoint as the backend server | |
| 125 | +| **resolver 168.63.129.16** | Uses Azure's internal DNS resolver to resolve the storage account to the private endpoint IP | |
| 126 | +| **set $sas_token** | Stores the SAS token for authorization | |
| 127 | +| **rewrite** | Maps the `/static/` path to the `/content/` container in blob storage | |
| 128 | +| **proxy_pass** | Forwards requests to the storage account with the SAS token appended | |
| 129 | +| **keepalive 32** | Maintains persistent connections for better performance | |
| 130 | +{{</table>}} |
| 131 | + |
| 132 | +## Upload the configuration |
| 133 | + |
| 134 | +Upload your NGINX configuration to your NGINXaaS deployment following the instructions in the [NGINX configuration]({{< ref "/nginxaas-azure/getting-started/nginx-configuration/nginx-configuration-portal.md" >}}) documentation. |
| 135 | + |
| 136 | +## Test the configuration |
| 137 | + |
| 138 | +1. Go to `https://<NGINXaaS IP>/static/<your-file-name>` to access your static content. |
| 139 | +1. For example, if you have an `index.html` file in your `content` container, access it via `https://<NGINXaaS IP>/static/index.html`. |
| 140 | +1. Your content should be served from Azure Blob Storage through the private endpoint. |
| 141 | + |
| 142 | +## Verify private endpoint connectivity |
| 143 | + |
| 144 | +You can verify that traffic flows through the private endpoint by checking that: |
| 145 | + |
| 146 | +1. The storage account is completely inaccessible from the public Internet |
| 147 | +1. DNS resolution of your storage account resolves to the private IP address of the private endpoint |
| 148 | +1. Network traffic flows through your virtual network without traversing the public Internet |
| 149 | + |
| 150 | +## Benefits of this approach |
| 151 | + |
| 152 | +- **Maximum security**: Storage account is completely private with no public Internet access |
| 153 | +- **No payload size limits**: Unlike local hosting, you're not limited by the 3 MB configuration payload size |
| 154 | +- **Scalable storage**: Azure Blob Storage can handle large amounts of static content |
| 155 | +- **Network isolation**: All traffic flows through your private virtual network |
| 156 | +- **Cost-effective**: Azure Blob Storage offers cost-effective storage for static content |
| 157 | +- **Controlled access**: SAS tokens provide fine-grained access control with expiration |
| 158 | + |
| 159 | +## Security considerations |
| 160 | + |
| 161 | +- **SAS token management**: Regularly rotate SAS tokens and grant minimal required permissions |
| 162 | +- **Network isolation**: Ensure private endpoints are properly configured in isolated subnets |
| 163 | +- **Access monitoring**: Enable logging and monitoring for storage account access |
| 164 | +- **Principle of least privilege**: Grant only the minimum permissions necessary for your use case |
| 165 | + |
| 166 | +## Limitations |
| 167 | + |
| 168 | +- Requires private endpoint configuration and additional subnet space |
| 169 | +- SAS tokens need regular rotation and management |
| 170 | +- Additional complexity compared to public access methods |
| 171 | +- Private endpoint incurs additional Azure networking costs |
0 commit comments