Is it possible to expose Azure blob storage via Application Gateway
Expose Azure blob storage via Application Gateway.
I would like to remove public access for Azure Blob and only make it accessible via virtual network. The Azure Application Gateway will be public facing which does the SSL termination and forwards the request to blob.
This would allow scanning for malicious content via virtual appliances before content is stored in blob.

We are still under consideration for this feature. In the meanwhile, could you use Azure CDN to accomplish this?
6 comments
-
Mark Dommisse commented
At the moment it is not possible to enforce TLS 1.2 and only select secure ciphers on blob storage. Clients can still connect using TLS1.0/1.1 and deprecated ciphers. Application Gateway could provide this for static hosting scenario's.
-
Yohan S. commented
In our case it could be great to have URL based routing :
- mydomain.com/spa will be routed to the right blobstorage container
- mydomain.com/api will be routed to the right appservice.In our case we can't rely on a CDN as we need to provide static IPs to whitelist access to our solution with our partners for security concerns.
-
Marcel commented
Hi, this should be possible already. Although indirectly I guess. Have a look at this link: https://medium.com/@emin.askerov/static-website-hosting-in-azure-storage-with-custom-domain-and-ssl-support-using-azure-application-b17f95c6764c
My scenario, VNet with s2s tunnel access. No public connectivity. App gateway deployed into specific subnet of vnet, the latter is whitelisted on blob storage.
-
Tom Wilson commented
I'm looking to host a static azure storage website and need a public ip, app gateway would give me this right?
-
Teppei Ishii commented
I believe Application Gateway and Azure Storage integration is reasonable.
Currently Azure CDN cannot act as WAF to drop malicious traffic. In addition, we have better metrics & diagnostic logs for Application Gateway than Azure CDN.
There's no limit to achieving better security for users, so I appreciate if you consider that.
I personally tested AppGw and Azure Storage integrated great by setting "PickHostNameFromBackendAddress" on AppGw. We just do not have PG guarantee with this scenario. -
Salman commented
Azure CDN would mean the content is replicated which I do not want. Also with CDN managing SAS tokens is challenging as current documentations says CDN does not respect the SAS restrictions.
So in the mean time if there is no Application Gateway support for what I want to achieve, the fall back would be
API Gateway - Azure Function - Blob Storage ?
and the network traffic between the Azure Function and the Blob can be monitored for maliacious content