Azure CDN is a cloud service provided by Microsoft Azure which can help you deliver your assets across the globe from global distributed network of Edge/POP (point of presence) servers available near your location. Since this offering is provided as part of Microsoft Azure services, it becomes very appealing if you are invested in Azure. The price is also very aggressive.
In this blog post I will cover some interesting details of using Authentication/Authorization for your CDN content and will show you how you can abstract the physical path of your content and map it to the logical path of request using URL Rewrite rules using the CDN Rule Engine.
Most of the features I am covering in this blog is at the moment available only with the Premium Verizon (P1) SKU. You can see the differences below. It is possible that in near future we will have more SKUs or existing ones updated with additional features.
Provisioning a new CDN Profile with one or more endpoints is fairly straight forward. You can do it in Azure Portal with a few clicks. However, I am a strong proponent of standardization and automation. We use ARM templates for provisioning all our services and infrastructures in Azure using an idempotent predictable CI/CD pipeline. Like all other templates, there are quick start templates for Azure CDN as well on Github. You can find it here.
Azure CDN Endpoints require an origin server which is the ultimate source of all your assets you want to deliver via CDN. Each endpoint can have only one origin server. In our case, we use Azure Storage(Blob) but you have option to use custom locations. This is the source from where the CDN POP servers would access the data before caching it locally.
Once you have provisioned your Azure CDN Profile for Premium Verizon SKU, you can get into it and see a link at the top.
Clicking on this “Manage” link leads us to a page which allows us to author custom CDN rules and also create an encrypted token or decrypt an existing token. Let’s drill down a little more in the features.
Rules Engine (how to guide)
This is a feature we use heavily for enforcing token authorization. We also use it to abstract the actual path of our assets and map it to a more user friendly request path. First step is to go to the Rules Engine. A detailed overview is provided in the how to guide above.
To enable “Token” based authentication set it as the first rule.
To be able to generate your own tokens, you can use the ECToken library from Verizon on Github. This library is available in many programming languages. Tokens can be generated with some additional attributes like a validity duration, asset paths for which it is valid, countries allowed/denied, protocol allowed/denied, ip allowed/denied etc. More details are available here.
To abstract your asset path, you can use URL Rewrite rule where you can use regular expression with capture groups and use it to map the url with the actual asset.
An example would be that a url path like /employee/Abhishek.xml can be mapped to /employee/assets/details/Abhishek/info.xml which is the actual blob path in the origin server.
Rules Engine is very powerful and addresses plethora of use cases. I would strongly recommend going through the following video to see a brief overview of new features in Azure CDN which includes Rules Engine.
A token based CDN access has given global scale to our asset delivery capability and at the same time it also ensures that our assets are not available to unauthorized users. Our URL Rewrite rules allow a friendly predictable asset path which the customer can use to access the blobs in our storage through CDN. We also preload the assets using the APIs of the Azure CDN to ensure there is no first hit penalty for our customers and they are always served warmed assets across the globe.
Azure CDN has a lot of features and I have tried to give a high level overview here which I am using. I hope this allows you to make an informed decision if you want to use the CDN offering of Azure. Please feel free to ask questions and show your appreciation.