Using Azure CDN with Shared Access Signatures

Question

Im trying to incorporate Azure to store the majority of my files for an application. I want to upload these files to a private container and private blob in azure, and have those uploads copied through the Azure CDN to all of the other nodes (still as private containers and blobs). I then want my application to make a request to a stored blob, and give me the shared access signature link to the blob for a period of time. However, I want the link generated to be given for the closest datacenter to the user. I will have the SAS be generated each time a blob is needed, but I need to be able to use the SAS option accross the CDN. Is this even possible with Azure or can I only use SAS with one data center?

Edit I would want our CDN to act as if its a copy of our main data center, so I dont want the CDN objects to ever be removed unless they are removed from the main data center. If I do create an SAS and throw it on the end of the CDN URL, if the expiration date on the SAS has passed, but not the cache duration, would the user be able to come back and access the file?

Heres my example:

• Cache Duration: 5 days
• Azure Storage URL: http://azstorage.blob.core.windows.net/images/img1.jpg
• CDN Endpoint: http://az507923.vo.msecnd.net/
• Azure Storage SAS parameter: ?st=2015-03-30T19%3A21%3A09Z&se=2015-04-01T20%3A21%3A09Z&sr=c&sp=r&sig=STTE1p0ujzZr31ZjPaOlNoImCPcjss2GoRsOWDlpJuI%3D
• Final CDN URL: http://az507923.vo.msecnd.net/images/img1.jpg?st=2015-03-30T19%3A21%3A09Z&se=2015-04-01T20%3A21%3A09Z&sr=c&sp=r&sig=STTE1p0ujzZr31ZjPaOlNoImCPcjss2GoRsOWDlpJuI%3D

Obviously the user could access this URL until 4/1/2015, but what if they come back on 4/2/2015, would they still have access?

Also, say I do set the cache control header of the blob to expire at the same time as the SAS URL, which is also after the cache duration. I then have a user come back for that same blob on 4/8/2015, we would generate a new SAS and give it to the user, would the blob still be on the CDN or would the cache control header delete it from the CDN?

Answer 1

You can use SAS URLs with the CDN. All you need to do is provide the correct SAS signature appended to the CDN URL.

It would look like:

• Azure Storage URL: http://azstorage.blob.core.windows.net/images/img1.jpg
• CDN Endpoint: http://az507923.vo.msecnd.net/
• Azure Storage SAS parameter: ?st=2015-09-17T19%3A21%3A09Z&se=2015-09-17T20%3A21%3A09Z&sr=c&sp=r&sig=STTE1p0ujzZr31ZjPaOlNoImCPcjss2GoRsOWDlpJuI%3D
• Final CDN URL: https://az507923.vo.msecnd.net/images/img1.jpg?st=2015-09-17T19%3A21%3A09Z&se=2015-09-17T20%3A21%3A09Z&sr=c&sp=r&sig=STTE1p0ujzZr31ZjPaOlNoImCPcjss2GoRsOWDlpJuI%3D

Some caveats with this approach:

• Anybody with this URL can access the file, so you would have to have a mechanism to keep this URL private. This also means that if the URL leaks out then anybody can access the file so you have to determine if this is an acceptable level of security.
• The CDN will cache the object using the full URL including SAS, so the cached object will be valid for the cache duration which is 7 days by default. This means that you need to make sure you set the cache control headers on the blob to be the same duration as your SAS URL so that the cached CDN object will expire at the same time as the SAS URL.