How can we improve Azure Networking?

Is it possible to expose Azure blob storage via Application Gateway

Expose Azure blob storage via Application Gateway.

I would like to remove public access for Azure Blob and only make it accessible via virtual network. The Azure Application Gateway will be public facing which does the SSL termination and forwards the request to blob.

This would allow scanning for malicious content via virtual appliances before content is stored in blob.

133 votes
Sign in
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Salman shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


Sign in
Sign in with: Microsoft
Signed in as (Sign out)
  • Yohan S. commented  ·   ·  Flag as inappropriate

    In our case it could be great to have URL based routing :
    - will be routed to the right blobstorage container
    - will be routed to the right appservice.

    In our case we can't rely on a CDN as we need to provide static IPs to whitelist access to our solution with our partners for security concerns.

  • Marcel commented  ·   ·  Flag as inappropriate

    Hi, this should be possible already. Although indirectly I guess. Have a look at this link:

    My scenario, VNet with s2s tunnel access. No public connectivity. App gateway deployed into specific subnet of vnet, the latter is whitelisted on blob storage.

  • Tom Wilson commented  ·   ·  Flag as inappropriate

    I'm looking to host a static azure storage website and need a public ip, app gateway would give me this right?

  • Teppei Ishii commented  ·   ·  Flag as inappropriate

    I believe Application Gateway and Azure Storage integration is reasonable.

    Currently Azure CDN cannot act as WAF to drop malicious traffic. In addition, we have better metrics & diagnostic logs for Application Gateway than Azure CDN.

    There's no limit to achieving better security for users, so I appreciate if you consider that.
    I personally tested AppGw and Azure Storage integrated great by setting "PickHostNameFromBackendAddress" on AppGw. We just do not have PG guarantee with this scenario.

  • Salman commented  ·   ·  Flag as inappropriate

    Azure CDN would mean the content is replicated which I do not want. Also with CDN managing SAS tokens is challenging as current documentations says CDN does not respect the SAS restrictions.

    So in the mean time if there is no Application Gateway support for what I want to achieve, the fall back would be
    API Gateway - Azure Function - Blob Storage ?
    and the network traffic between the Azure Function and the Blob can be monitored for maliacious content

Feedback and Knowledge Base