I have an SPA webapp deployed on Azure Blob Storage which the URL is public. E.g. https://example.z23.web.core.windows.net/
I would like to use Azure Front Door with WAF to increase security. Is there a way to block direct access at the blob URL? I googled it and found many answers out there, one of them is to simply allow only AzureFrontDoor.Backend
IPs at Storage Account networking configurations. I tried it and it worked.
However, this method still has a loophole as anyone can just create a Front Door and point to my blob URL (if they happen to discover it somehow).
(This might sound dumb): if I proceed with this method and name my storage account randomly, for example, use a trimmed-down random GUID. (https://6c4a89d5dba04b8fbe1ed7f.z23.web.core.windows.net/) Can this reduce the possibility that someone might discover my URL and bypass security?
Another method that Azure recommends is to check for X-Azure-FDID
header that includes the ID of my particular Front Door instance and drop requests that don't contain this header. I asked my developer if this is possible on Vue webapp and he said we would need to include the Front Door ID in the code which runs on client-side thus exposing the ID to public anyway. (This is not Stack Overflow but if someone can suggest anything on this, it would be great)
Another way I found is to use Azure Front Door Premium SKU which supports connecting to Storage Account using Private Link. This is perfect, but it costs a whopping $165 per month. I'd rather deploy my code on App Service instead as it can natively restrict access from Front Door only.
Can anyone suggest any method on how to achieve this?
Thanks.