Azure : Front Door to Storage Account with Custom Domain

NOTICE: No Pig's were harmed in the making on this guide.....this is just a guide, seriously chill out if you are "annoyed" by the domain.

This is a guide on how to setup a Azure Front Door service, with a custom domain to a storage account in Azure, it includes many factors linked to security and WAF configuration as well, more of a "how it works" project....

There are certain prerequisites that need to be filled for example you need a domain name, for this I have used diepiggydiedie.com in this example, and you will obviously need a storage account to link the website to for the static files.

Create Azure Storage Account

Lets create the storage account, so for that we need to login to the Azure portal on https://portal.azure.com then once you are logged in you need to click Storage Accounts as below:



Then we need a new storage account with the Create button.....



You then to choose a resource group you require, then you need to give it a name which I have chosen "diepiggydiedie" and the region which for me is West US 2 and you need standard performance with LRS redundancy, its a lab for me not production.



We will be using the static website not anything else, so I have enabled all the security, as it will not be allowed from outside the Azure tenant...



Network connectivity is "Disabled for public and private access" for the moment, that you will see may change later



Network routing is "internet routing" as we do not need internal Azure routing....


Data protection for this will only require versioning, that's all...



Finally for Encryption, we need Microsoft Managed Keys (MMK) and that applies to Blobs and Files only



You can now review and submit you storage account and let it "cook"


Once this completes you will see it in the Storage accounts as the name you specified:


You then need to go into that storage account and enable "static website" mode, as you can see here, move the slider from Disabled to Enabled



That will then give you the endpoint name and the option to set a default document type which for now we will leave blank.



Then ensure you change in Configuration the blob access to "Cool" not "Hot" we do not need frequently accessed data enabled, this is a lab



Create a temporary file in the $web for testing

For this you will need to go to the storage account and then navigate to containers



You will then need to click on the $web container, this is where your HTML will be stored, for this example we need a simple HTML file to test it works throughout this guide, that will look like this:


Notice you have no files here at all, so lets fix that, as you are using the portal from the desktop create a new HTML file with this as the contents:

<table border=0 cellspacing=0 cellpadding=0 align="left" width="100%"> <tr> <!-- Remove the next line if you don't want the Red bar on the left side --> <td style="background:#ff0000;padding:5pt 2pt 5pt 2pt"></td> <td width="100%" cellpadding="7px 6px 7px 15px" style="background:#fff8e5;padding:5pt 4pt 5pt 12pt;word-wrap:break-word;font-family: Verdana"> <div style="color:#FF0000;"> <span style="color:#FF0000; font-weight:bold;font-family: Verdana">ALERT:</span> This is a test of the Front Door service, no action is required </div> </td> </tr> </table> <br />


This file needs to be saved as index.html then from the portal in the $web folder click on the upload button:

Then drag and drop the index.html in the upload window and it should look like this, if it does click the Upload button:



Your file listing should now look like this:


This will then confirm you have uploaded the index.html and finally you now need to navigate back the static website and set the document index to "index.html" from <blank> like this:


Now to test that all works, use a browser to navigate to the Primary Endpoint URL which is this case is https://diepiggydiedie.z5.web.core.windows.net/


This confirms the storage account works as it should, yayyy!

Create the Front Door

We now need to create the front door in Azure, for this, navigate back to the portal and click the "Front Door and CDN profiles"



You then want to create one, from the Create button...



Then you need the "Front Door" service....



You will then need "Quick Create"



You will then need to give it a resource group, then a name and we require the "Standard" tier for this example:

You will then need to give the service an endpoint name, which will end with azurefd.net for now until later on when we add a custom domain, then the Origin type will be the Storage as a static website ans the hostname of that storage we got from earlier.

We do not require Caching for this example and the WAF policy for now will be blank, that will be later on in this guide.


Once you have this all setup you can let it "cook" in Azure, give it a minute or two to deploy, then when you go back the Front Door you will see it there, ready to use, like this:


Now we have the Front Door setup, we now need to test this service out, if you go into the service look for the Endpoints and then you will see a URL, let give that a whirl right now shall we...... 



That means the URL https://piggy-fqeeeebxcmefc2es.z01.azurefd.net should show the same contents as the storage endpoint, and as you can see it does:


This proves the basic setup is working, which is all good.

Add a custom domain to the Front Door

NOTICE: You cannot add root domains using the Front Door as the CNAME record you need to create does not apply to the root domain.

Now we need to add the domain www.diepiggydiedie.com to the Front Door, so for that from the Front Door service add a new domain as below:



Then you need to add your domain with Non-Azure validated and other DNS services for now go with a managed HTTPS certificate (again, for now) and for this I require TLS 1.2 - stop the nasty IE traffic.


Verify the Domain

Then once added you will notice it is not verified, so you need to verify this domain to allow it to work, it will also be Unassociated:


So lets get that fixed, click on the pending validation state:


You will be given the DNS record you need to create, you can see from below we require a TXT record for our domain.......



If we check with Google Dig you will notice this record is not there:



You now need to add the DNS record to your DNS servers for that domain, then we can use Google Dig to confirm its all there and happy.......as below.......

Associate the Domain

Now we need to link the domain to our front door service, to complete this click on the "Unassociated" error......



This will give the option to link it to endpoints and routes as below:



Once linked your are done.....

Check Domain and Association

Now check your Domain and Associated state you see see they are now Approved and linked to the Endpoint which is good.


CNAME record update

Now you need to update the CNAME record to point at the front door this will be outlined here as its not detected the CNAME record


You then need to publish the CNAME to your DNS, this shows the CNAME and the TXT record, but notice its _dnsauth.www which is required for this to work.....



NOTICE: IF you try to add a CNAME to the root domain this is what you get......

Once you CNAME record has replicated then you will notice that the certificate is now valid and the DNS state shows as "traffic delivered" which looks good.......



This should mean that Azure has generate the SSL certificate for your domain as its now approved, so if you run this in NMAP:

nmap --script=ssl-cert.nse -p 443 www.diepiggydiedie.com

You will notice that Azure has not generated the certificate for your domain with GeoTrust SSL as you can see here......



This means if you point your browser at the targeted website you will get the HTML from the storage blob in static website mode, which means you have setup this service for a website of your choice.

Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„