Configuring a Hidden CDN SAS Token Using a Rewrite Rule

When you set up a storage account for Azure Content Delivery Network (CDN) to use to cache content, by default anyone who knows the URLs for your storage containers can access the files that you’ve uploaded. To protect the files in your storage account, you can set the access of your storage containers from public to private. However, if you do so, no one will be able to access your files.

If you want to grant limited access to private storage containers, you can use the Shared Access Signature (SAS) feature of your Azure storage account. A SAS is a URI that grants restricted access rights to your Azure Storage resources without exposing your account key. You can provide a SAS to clients that you do not trust with your storage account key but to whom you want to delegate access to certain storage account resources. By distributing a shared access signature URI to these clients, you grant them access to a resource for a specified period of time.

With a SAS, you can define various parameters of access to a blob, such as start and expiry times, permissions (read/write), and IP ranges.

This blog post shows how to use SAS in conjunction with Azure CDN.

Setting up Azure CDN to work with storage SAS


To start, create a container in your storage account.

You can generate two types of stored access signatures: a service SAS or an account SAS.

In Microsoft Azure Storage Explorer generate a SAS for your Container.

Next to the Query String text box, select Copy to copy it to your clipboard, and then click Close.

Create a new CDN profile


For the CDN profile settings, I use the values specified in the following table:

Setting Value
Name privateprofile1
Pricing tier Select Premium Verizon from the drop-down list.
CDN endpoint name privateendpointn
Origin hostname

Select Create to create the profile.

Select All services, then select CDN profiles.

In the CDN profiles page, select the profile that you want to use.

The CDN profile page appears. From the CDN profile page, select Manage.

The CDN management portal opens.

Select the HTTP Large tab, then select Rules Engine.

The options for a new rule are displayed.

The following sample URL Rewrite rule uses a regular expression pattern





New rule can take up to 4 hours to propagate.

After the new rule becomes active, anyone can access files in the specified container on the CDN endpoint regardless of whether they’re using a SAS token in the URL. Here is the format:

https://<endpoint hostname><container>/<file>

3 thoughts on “Configuring a Hidden CDN SAS Token Using a Rewrite Rule

  1. Good article. The images are low resolution and details not visible to common eye. Would be nice if the images could be uploaded in higher resolution.


  2. Hi Abou, great article! but I’ve a doubt.. what if you’re using a webapp and CDN, and I want to keep my containers on private access, How can I update my sas key automatically in order to avoid lossing access from the app. Thanks!


  3. This is not working even after waiting for couple of days. Am I doing any mistake ?Below is my config for Source and Destination.
    Source: /80XXXXXX/cdn-dev-xxxxxxx/media/(.*)
    Destination: /80XXXXXX/cdn-dev-xxxxxxx/media/$1


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s