How can I secure the on-demand streaming from Azure Media Services to a specific domain only?
E.g. if you are using the Azure Media Player on www.domain1.com - you can watch the videos, but if you are on www.whatever.com then the video should not play.
Here is what I tried:
Setting CORS on the assigned Azure Storage account - didn't help. All responses seem to have a * cors header.
Setting up IP restrictions on the Streaming Endpoint - didn't help.
I could still stream a video from different machines using the azure media player demo page.
https://ampdemo.azureedge.net/azuremediaplayer.html?url=my_url_to_ism_manifest
UPDATE on the IP restrictions - it seems it needs some time to take effect. But now I realize it is not a good option, because there is no way to know the IP addresses of all the users of my site.
As far as I understood, the other content protection mechanisms (like fairPlay, widivine, etc.) that AMS support, require having a token, meaning the users should authenticate to my site first.
But I do not want to authenticate the users on my site, I just want the videos to be playable only if you are on my site.
One simple solution would be to enable Azure CDN from Verizon Premium and then use the rules engine capabilities to create a rule that only allows access from your domain. Your second solution of of using IP restrictions on the streaming endpoint would work as long as you aren't enabling Azure CDN for the streaming endpoint. If you aren't able to get this solution to work, I would recommend opening up a support case for further investigation.
Related
I want to limit the access to one of my app services to Azure API Mangement. In order to be independent from a single IP I created the following setting using service-tag-based restriction:
However if I test my API using the Developer Portal I still receive 403 messages.
If I now add a restriction-rule to allow the IP address of the API Management it will work.
The documentation claims that service tags are adding the IP ranges for the provided Azure services to the restrictions. This is exactly what I want to achieve but it does not seem to work.
After I contacted the MS support I know can tell an answer to this.
On central message in the answer was
Unfortunately, there is no tag for all of the API Management outbound IP addresses.
The support highlighted that the documentation for service tags points out that
This enables customers to perform management operations on the APIs, Operations, Policies, NamedValues configured on the API Management service.
What this means is that the service tag is only for backend operations. Problem with this is that it doesn't help you at all. I already noticed that after I switched on the service tag rule I could not update an API using the direct OpenAPI endpoint via the portal which is the documented way. This is because the explorative request against the OpenAPI would be performed using the local browser as a XHR-request. This means I would have to add my local IP to the restriction list every time.
The supports suggests to put everything inside a VNET and configure the access using this technique. I had this solution in place and then considered it as too clumpsy. I guess I have to do it now.
In Azure Storage there's a section called Firewalls and Virtual Networks. May I know if I can use it for the following usecase ?
I have a video uploaded to the blob, and I need only a set of selected users who has logged in to the application view my video.
My WebAPI application is hosted as a Azure WebApp. Can I use the IP address where the WebApp is hosted to create a rule in the Firewalls and Virtual network section below to only allow access to Storage if the user request the URL via the WebApp.(Let's say /viewVid/myvideo.mp4 )
In case if the User copies the URL of the Video (by inspecting the HTML code), and paste it on the browser will the user be able to view the video as the request is not coming via the WebApp ?
Note: Overall objective is to prevent a User from copying a URL (by inspecting the HTML code) and downloading or viewing the video.
Firewalls and VNet NSG's will are network level restrictions so they will not give you the user-level restrictions you are looking for. You can use them to limit your surface area but to implement what you are asking for, you need to implement authentication.
Azure Blob Storage supports Shared Key, Shared Access Signatures (SAS), Azure Active Directory (AAD), Active Directory Directory Services (ADDS) and Anonymous public access. The most secure way is to implement AAD with user delegation. If you are not able to store the users for this application in AAD then you should look at SAS. SAS token can be time-bound and restricted to certain IP addresses.
Also, you should take a look at Azure Media Player. Microsoft Azure Media Services (AMS) is an extensible cloud-based platform that enables developers to build scalable media management and delivery applications. Media Services is based on REST APIs that enable you to securely upload, store, encode, and package video or audio content for both on-demand and live streaming delivery to various clients (for example, TV, PC, and mobile devices).
Links
https://learn.microsoft.com/en-us/azure/storage/common/authorize-data-access
https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
https://learn.microsoft.com/en-us/azure/media-services/previous/media-services-content-protection-overview
I belieave that you can use app service Vnet integration feature for your project to restricted network access to storage account.
I have an Azure Media Service set up with a Premium subscription. I made an Android app which uses VideoView player and requests the multi-bitrate video files over HTTPS using the following format for asset links:
https://example.streaming.mediaservices.windows.net/c2234567-be1a-123c-ca25-e90bfca246da/1227_e3337f7-35ac-43e0-b55c-223e3333662.ism/QualityLevels(421811)/Manifest(video,format=m3u8-aapl)
Until now, I had CDN integration disabled. This worked fine and I never had issues using HTTPS.
However, now I want to enable CDN integration with default settings. When this feature is enabled, it automatically attaches the media service subdomain as a custom domain under the CDN (in this case example.streaming.mediaservices.windows.net). From what I understand, this means I should be able to continue making requests from my Android app to the same URLs as before, except now it will direct those requests to the CDN instead of the media service.
However, what I'm not sure of is whether or not I'll still be able to call those URLs over HTTPS. I see that Azure has a feature for Custom Domains with HTTPS in the works but it doesn't appear to be available yet.
So does the ability to call media service asset URLs over HTTPS carry over after CDN integration, and especially if I'm using the default media service subdomain as my custom domain?
If not, what will happen to the HTTPS calls? Will they receive no response or will they just bypass the CDN?
you should have no issues using HTTPS on CDN enabled Media Services Endpoints.
The Custom Domain HTTPS primarily refers to vanity urls like "blizz.com", which is not currently supported.
I have Windows 10 Azure VM and trying to play videos from CDN (vid.pluralsight.com), but it cannot connect to this cdn. Tried tracert to this cdn but it is timing out. this cdn is on http://www.cachefly.com/.
Anybody knows where to enable this?
ICMP is disabled on Azure VM's, so your tracert calls will timeout/fail (even with http/UDP supported packages). That being said, I would reach over to PluralSight support, it would be logic on their end in their CDN configurations denying access to certain IP's or ranges, or without proper auth tokens. They likely can assist you further. The issue does not appear to be with the CacheFly CDN because other CacheFly CDN enabled content is served appropriately on the Azure VMs I've tried (both Windows/ Linux). If you have a CacheFly account you should be able to pre-warm a few cache locations and pull those with url filters, etc. and see that you can expire content, get geo-cached items, etc.
I am implementing OData using ASP.NET Web API 2.2. These are deployed as Azure Web roles in different Azure Data centers where data is present in SQL Azure DBs. If there is a request coming from the user, the request has to be redirected to a particular web role deployed in based on the user details.
I am still exploring Azure Traffic Manager capabilities. Is it the way to do it in Azure? or what is the right approach for such scenarios in Azure?
This is not possible using Azure Traffic Manager. Traffic Manager simply does DNS resolution based on the policy (perf, round robin, failover) you choose.
If you want to intelligently route customers based on some logic then I would suggest:
First, are you sure you want to do this? A key tenant of a highly scalable and available service is that a request can be served by any instance/deployment, and it is more important to get the request to the fastest deployment (ie. the perf profile for WATM). There are valid reasons to need to direct users to a specific service, but I would suggest taking a hard look at this design requirement.
You could use ARR or URL Rewrite to internally fetch data from the correct deployment. This may have perf implications, but would be easy to implement.
As Brendan mentioned in a comment, you could have a thin web API layer that just does a 302 redirect to send the user to the correct deployment.