|
1 | 1 | --- |
2 | | -title: Reliable file uploading to Azure Storage Blob through Azure Front Door |
3 | | -description: Learn how to use Front Door with storage blobs for mission critical content upload, enabling a secure, reliable, and scalable architecture. |
| 2 | +title: Reliable file upload to Azure Storage Blob through Azure Front Door |
| 3 | +description: Learn how to use Azure Front Door with Azure Storage Blob for the upload of mission critical content to enable a secure, reliable, and scalable architecture. |
4 | 4 | services: front-door |
5 | 5 | author: kostinams |
6 | 6 | ms.service: frontdoor |
7 | 7 | ms.topic: conceptual |
8 | | -ms.date: 05/03/2024 |
| 8 | +ms.date: 05/10/2024 |
9 | 9 | ms.author: irkostin |
10 | 10 | ms.reviewer: hmb |
11 | 11 | --- |
12 | 12 |
|
13 | | -# Reliable file uploading to Azure Storage Blob through Azure Front Door |
| 13 | +# Reliable file upload to Azure Storage Blob through Azure Front Door |
14 | 14 |
|
15 | | -Uploading files to Azure Storage through Azure Front Door brings certain advantages, including higher resiliency, scalability and extra security, such as scanning of uploaded content with WAF and using custom TLS certificate for storage accounts. |
16 | | - |
17 | | -In this reference architecture, you deploy multiple storage accounts and Front Door profile with multiple origins. By using multiple storage accounts for uploaded content, you improve performance, reliability and able to achieve load distribution/sharding by having different clients use storage accounts in different orders. |
| 15 | +Utilizing Azure Front Door to upload files to Azure Storage offers many benefits, including enhanced resiliency, scalability, and extra security measures. These measures include the scanning of uploaded content with Web Application Firewall (WAF) and the use of custom Transport Layer Security (TLS) certificates for storage accounts. |
18 | 16 |
|
19 | 17 | ## Architecture |
20 | 18 |
|
21 | 19 |  |
22 | 20 |
|
23 | | -In this reference architecture, you deploy multiple storage accounts and Azure Front Door profile with multiple origins. You deploy as well Azure App Service to host API, and Azure Service Bus queue. |
| 21 | +In this reference architecture, multiple Azure storage accounts and an Azure Front Door profile with various origins are deployed. Utilizing multiple storage accounts for content upload improve performance and reliability and facilitates load distribution by having different clients use storage accounts in different orders. You deploy as well Azure App Service to host API, and Azure Service Bus queue. |
24 | 22 |
|
25 | 23 | ## Dataflow |
26 | 24 |
|
27 | | -Data flows through the scenario as follows: |
| 25 | +The dataflow in this scenario is as follows: |
28 | 26 |
|
29 | | -1. The client app calls a web-based API and retrieves a list of multiple upload locations. For each file that the client uploads, the API generates a list of possible upload locations, with one in each of the existing storage accounts. Each URL contains a Shared Access Signature, ensuring that the URL can only be used to upload to the designated blob URL. |
30 | | -2. The client app attempts to upload a blob using first URL from the list returned by API. The client establishes a secure connection to Azure Front Door by using a custom domain name and custom TLS certificate. |
31 | | -3. The Front Door web application firewall (WAF) scans the request. If the WAF determines the request's risk level is too high, it blocks the request and Front Door returns an HTTP 403 error response. Otherwise the request is routed to the desired storage account. |
32 | | -4. File is uploaded into Azure Storage account. If this request fails, the client app will have to try to upload to an alternative storage account using next URL from the list returned by API. |
33 | | -5. The client app notifies API that the file was uploaded |
34 | | -6. API puts an item on Service Bus queue for further processing of uploaded file. |
| 27 | +1. The client app initiates a web-based API, retrieving a list of multiple upload locations. For each file that the client uploads, the API generates a list of possible upload locations, with one in each of the existing storage accounts. Each URL contains a Shared Access Signature (SAS), ensuring the exclusive use of the URL for uploading to the designated blob URL. |
| 28 | +2. The client application attempts to upload a blob using first URL from the list returned by API. The client establishes a secure connection to Azure Front Door by using a custom domain name and custom TLS certificate. |
| 29 | +3. The Azure Front Door WAF scans the request. If the WAF determines the request's risk level is too high, it blocks the request and Azure Front Door returns an HTTP 403 error response. If not, the request is routed to the desired storage account. |
| 30 | +4. The file is uploaded into Azure Storage account. If this request fails, the client application will attempt to upload to an alternative storage account using next URL in the list returned by the API. |
| 31 | +5. The client application notifies the API that the file upload is complete. |
| 32 | +6. The API places an item in Azure Service Bus queue for further processing of uploaded file. |
35 | 33 |
|
36 | 34 | ## Components |
37 | 35 |
|
38 | | -- Azure App Service generates upload URLs and SAS for blobs. |
39 | | -- Azure Front Door receives connections from clients, scans them with the WAF, routes the upload request to Azure storage account. |
40 | | -- Azure Storage stores uploaded files in blobs. |
41 | | -- Azure Service bus used as a queue to trigger further processing of uploaded content |
| 36 | +- Azure App Service is responsible for generating the upload URLs and SAS for blobs. |
| 37 | +- Azure Front Door handles client connections, scans them with the WAF, and routes the upload request to Azure storage account. |
| 38 | +- Azure Storage is utilized for storing uploaded files in blobs. |
| 39 | +- Azure Service Bus serves as a queue to trigger further processing of uploaded content. |
42 | 40 |
|
43 | 41 | ## Scenario details |
44 | 42 |
|
45 | | -Often the responsibility of file upload is put on the API or backend systems. By having the client app directly upload JSON files into blob storage, we make sure that the compute resource (the API layer handling the uploads from the client) is not the bottleneck in terms of performance, and we bring down the costs of the overall solution since now API is not spending compute time on uploading the files. |
46 | | - |
47 | | -It is the API's responsibility to make sure that the files are distributed evenly between storage accounts. That means that it's required to define logic to prioritize storage accounts which should be used by client applications by default. |
| 43 | +Often the responsibility of file upload is assigned to the API or backend systems. However, by enabling the client application to directly upload JSON files into blob storage, we ensure that the compute resource (the API layer handling the uploads from the client) isn't the bottleneck. This approach also reduces the overall cost, since the API no longer expends compute time on file uploads. |
48 | 44 |
|
49 | | -Utilizing Azure Front Door with Azure Storage accounts enables customers to have a single point of entry (a single domain) for uploading content. |
| 45 | +The API is responsible for ensuring an even distribution of files across storage accounts. This implies that you must define a logic to determine the default storage account for the client application to use. |
50 | 46 |
|
51 | | -### Azure Front Door configuration with multiple origins as Azure Storage accounts |
| 47 | +The combination of Azure Front Door and Azure Storage accounts provides a single point of entry (a single domain) for content upload. |
52 | 48 |
|
53 | | -Azure Front Door configuration includes the following steps: |
| 49 | +### Azure Front Door configuration with multiple storage account origins |
54 | 50 |
|
55 | | -- Origin configuration (one per each storage account) |
| 51 | +The configuration of Azure Front Door includes the following steps for each storage account: |
56 | 52 |
|
57 | | -- Route configuration (one per each storage account) |
| 53 | +- Origin configuration |
| 54 | +- Route configuration |
| 55 | +- Rule set configuration |
58 | 56 |
|
59 | | -- Rule set configuration (one per each storage account) |
| 57 | +1. In the *origin configuration*, you need to define the origin type as a blob storage account and select the appropriate storage account available within your subscription. |
60 | 58 |
|
61 | | -In the *origin configuration*, you need to specify the origin type as a blob storage account and select the appropriate storage account available within your subscription. |
| 59 | + :::image type="content" source="./media/scenario-storage-blobs-upload/origin.png" alt-text="Screenshot of the origin configuration."::: |
62 | 60 |
|
63 | | - |
| 61 | +1. In the *Origin group route*, you have to define a path for processing with in the origin group. Ensure to select the newly created origin group and specify the path to the container within the storage account. |
64 | 62 |
|
65 | | -When configuring the *Origin group route*, you have to specify a path that will be processed for this origin group and make sure to select the newly created origin group and specify the path to the container inside the storage account. |
| 63 | + :::image type="content" source="./media/scenario-storage-blobs-upload/route-configuration.png" alt-text="Screenshot of the route configuration."::: |
66 | 64 |
|
67 | | - |
| 65 | +1. Finally, you need to create a new Rule set configuration. It's important to configure *Preserve unmatched path* setting, which allows appending the remaining path after the source pattern to the new path. |
68 | 66 |
|
69 | | -Finally, you need to create a new Rule set configuration. It is important to configure *Preserve unmatched path* setting which allows to append the remaining path after the source pattern to the new path. |
70 | | - |
71 | | - |
| 67 | + :::image type="content" source="./media/scenario-storage-blobs-upload/rule-set.png" alt-text="Screenshot of the rule set configuration."::: |
72 | 68 |
|
73 | 69 | ## Considerations |
74 | 70 |
|
75 | 71 | ### Scalability and performance |
76 | 72 |
|
77 | | -Proposed architecture allows you to achieve horizontal scalability by using multiple storage accounts for uploaded content. |
| 73 | +The proposed architecture allows you to achieve horizontal scalability by using multiple storage accounts for content upload. |
78 | 74 |
|
79 | 75 | ### Resiliency |
80 | 76 |
|
81 | | -Front Door is a highly available service, and because of its globally distributed architecture, it's resilient to failures of single Azure regions and PoPs. |
82 | | -By using multiple storage accounts in different regions this architecture increases resiliency and helps to achieve load distribution/sharding by having different clients use storage accounts in different orders. |
| 77 | +Azure Front Door, with its globally distributed architecture, is a highly available service that is resilient to failures of a single Azure region and Point of Presence (PoPs). |
| 78 | +This architecture, which deploys multiple storage accounts in different regions, increases resiliency and helps to achieve load distribution by having different clients using storage accounts in different orders. |
83 | 79 |
|
84 | 80 | ### Cost optimization |
85 | 81 |
|
86 | | -The cost structure of Azure Storage allows you to create as many storage accounts, as required without increasing the costs of the solution. The costs are affected by the amount and size of the files stored. |
| 82 | +The cost structure of Azure Storage allows for creation of any amount of storage account as required without increasing the costs of the solution. The amount and size of the stored files affect the costs. |
87 | 83 |
|
88 | 84 | ### Security |
89 | 85 |
|
90 | | -By using Azure Front Door you are benefiting from security features, such as DDoS protection (the default Azure infrastructure DDoS protection, which monitors and mitigates network layer attacks in real-time by using the global scale and capacity of Front Door’s network), as well as Web Application Firewall (WAF) which defends your web services against common exploits and vulnerabilities. You can also use the Front Door WAF to perform rate limiting and geo-filtering if you require those capabilities. |
| 86 | +By using Azure Front Door you're benefiting from security features, such as DDoS protection. The default Azure infrastructure DDoS protection, which monitors and mitigates network layer attacks in real-time by using the global scale and capacity of Azure Front Door’s network. The use of Web Application Firewall (WAF) protects your web services against common exploits and vulnerabilities. You can also use Azure Front Door WAF to perform rate limiting and geo-filtering if your application requires those capabilities. |
91 | 87 |
|
92 | | -It is also possible to secure Azure Storage accounts by using Private Link. The storage account can be configured to deny direct access from the internet, and to only allow requests through the private endpoint connection used by Azure Front Door. This configuration ensures that every request gets processed by Front Door, and avoids exposing the contents of your storage account directly to the internet. However, this configuration requires the premium tier of Azure Front Door. If you use the standard tier, your storage account must be publicly accessible. |
| 88 | +It's also possible to secure Azure Storage accounts by using Private Link. The storage account can be configured to deny direct access from the internet, and to only allow requests through the private endpoint connection used by Azure Front Door. This configuration ensures that every request gets processed by Front Door, and avoids exposing the contents of your storage account directly to the internet. However, this configuration requires the premium tier of Azure Front Door. If you use the standard tier, your storage account must be publicly accessible. |
93 | 89 |
|
94 | 90 | ### Custom domain names |
95 | 91 |
|
96 | | -Front Door supports custom domain names, and can issue and manage TLS certificates for those domains. By using custom domains, you can ensure that your clients receive files from a trusted and familiar domain name, and that TLS encrypts every connection to Front Door. When Front Door manages your TLS certificates, you avoid outages and security issues due to invalid or outdated TLS certificates. |
| 92 | +Azure Front Door supports custom domain names, and can issue and manage TLS certificates for those domains. By using custom domains, you can ensure that your clients receive files from a trusted and familiar domain name, and that TLS encrypts every connection to Front Door. When Front Door manages your TLS certificates, you avoid outages and security issues due to invalid or outdated TLS certificates. |
| 93 | + |
97 | 94 | Azure Storage also supports custom domain names, but doesn't support HTTPS when using a custom domain. Front Door is the best approach to use a custom domain name with a storage account. |
98 | 95 |
|
99 | 96 | ## Deploy this scenario |
100 | 97 |
|
101 | | -To deploy this scenario by using Bicep, [see this quickstart](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-premium-storage-blobs-private-link). |
| 98 | +To deploy this scenario by using Bicep, see deploy [Azure Front Door Premium with blob origin and Private Link](/samples/azure/azure-quickstart-templates/front-door-premium-storage-blobs-private-link/). |
102 | 99 |
|
103 | 100 | ## Next steps |
104 | 101 |
|
|
0 commit comments