# Azure CDN Setup for Credential Seals Complete guide for setting up Azure CDN infrastructure for Order of St John credential seal images. ## Quick Start **One-Command Setup:** ```bash ./scripts/deploy/setup-azure-cdn-complete.sh ``` This automates: 1. ✅ Quota checking 2. ✅ Infrastructure creation 3. ✅ File upload 4. ✅ Manifest URL updates ## Prerequisites 1. **Azure CLI installed** ```bash # Install Azure CLI curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash ``` 2. **Logged in to Azure** ```bash az login az account set --subscription ``` 3. **Required Permissions** - Contributor or Owner role on subscription - Ability to create resource groups - Ability to create storage accounts - Ability to create CDN profiles ## Step-by-Step Setup ### Step 1: Check Quotas ```bash ./infra/scripts/azure-check-cdn-quotas.sh ``` This checks: - Storage account quota - CDN profile quota - Resource group quota - CDN endpoint quota **Output**: `azure-cdn-quota-report.txt` ### Step 2: Set Up Infrastructure ```bash ./infra/scripts/azure-cdn-setup.sh ``` This creates: - Resource group: `the-order-cdn-rg` - Storage account: `theordercdn` - Storage container: `images` (public blob access) - CDN profile: `theorder-cdn-profile` - CDN endpoint: `theorder-cdn-endpoint` **Output**: `azure-cdn-config.env` ### Step 3: Upload Files ```bash ./scripts/deploy/upload-seals-to-azure.sh ``` Uploads all PNG files to Azure Blob Storage. ### Step 4: Update Manifest URLs ```bash source azure-cdn-config.env CDN_BASE_URL="${CDN_BASE_URL_CDN}" ./scripts/deploy/update-manifest-seal-urls.sh ``` ## Infrastructure Components ### Storage Account - **Name**: `theordercdn` (globally unique) - **SKU**: Standard_LRS - **Public Access**: Enabled for blob access - **CORS**: Configured for GET, HEAD, OPTIONS ### Storage Container - **Name**: `images` - **Access Type**: Blob (public read access) - **Purpose**: Store credential seal PNG files ### CDN Profile - **Name**: `theorder-cdn-profile` - **SKU**: Standard_Microsoft - **Purpose**: CDN profile for image delivery ### CDN Endpoint - **Name**: `theorder-cdn-endpoint` - **Origin**: Storage account blob host - **Compression**: Enabled (gzip, deflate) - **Cache**: 1 day default ## Configuration File After setup, `azure-cdn-config.env` contains: ```bash # Storage Account AZURE_STORAGE_ACCOUNT=theordercdn123456 AZURE_STORAGE_KEY= AZURE_STORAGE_CONTAINER=images AZURE_RESOURCE_GROUP=the-order-cdn-rg AZURE_LOCATION=westeurope # CDN AZURE_CDN_PROFILE=theorder-cdn-profile AZURE_CDN_ENDPOINT=theorder-cdn-endpoint AZURE_CDN_ENDPOINT_URL= # URLs CDN_BASE_URL_BLOB=https://theordercdn123456.blob.core.windows.net/images/ CDN_BASE_URL_CDN=https://.azureedge.net/images/ CDN_BASE_URL=${CDN_BASE_URL_CDN:-${CDN_BASE_URL_BLOB}} ``` ## URLs ### Blob Storage URL (Immediate) ``` https://.blob.core.windows.net/images/ ``` ### CDN URL (After Propagation) ``` https://.azureedge.net/images/ ``` **Note**: CDN endpoint takes 10-15 minutes to fully propagate. ## Quota Requirements Minimum quotas needed: - **Storage Accounts**: 1 available - **CDN Profiles**: 1 available - **CDN Endpoints**: 1 available per profile - **Resource Groups**: 1 available ## Cost Estimation Approximate monthly costs (West Europe): - **Storage Account**: ~$0.02/GB/month - **CDN Profile**: ~$0.04/GB egress - **Blob Storage**: ~$0.0004/GB/month For credential images (~17 files, ~200KB each = ~3.4MB total): - **Storage**: ~$0.0001/month - **CDN**: Depends on traffic (first 5GB free/month) **Total**: ~$0-5/month depending on traffic ## Terraform Option Alternatively, use Terraform: ```bash cd infra/terraform terraform init terraform plan -target=azurerm_storage_account.cdn_images terraform apply -target=azurerm_storage_account.cdn_images ``` ## Verification ### Check Storage Account ```bash az storage account show \ --name \ --resource-group the-order-cdn-rg ``` ### Check Container ```bash az storage container show \ --name images \ --account-name \ --account-key ``` ### Check CDN Endpoint ```bash az cdn endpoint show \ --name theorder-cdn-endpoint \ --profile-name theorder-cdn-profile \ --resource-group the-order-cdn-rg ``` ### Test File Access ```bash curl -I https://.blob.core.windows.net/images/digital-bank-seal.png ``` ## Troubleshooting ### Quota Exceeded - Request quota increase: https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade - Or use existing storage account ### Storage Account Name Taken - Script auto-generates unique name with timestamp - Or specify: `AZURE_STORAGE_ACCOUNT=` ### CDN Endpoint Not Ready - Wait 10-15 minutes for propagation - Check status in Azure Portal - Use blob URL temporarily ### Files Not Accessible - Verify container has public blob access - Check CORS configuration - Verify file upload succeeded ## Security - **HTTPS**: All URLs use HTTPS - **Public Access**: Only blob read access (no write) - **CORS**: Configured for cross-origin requests - **Storage Key**: Keep secure, use managed identity in production ## Production Recommendations 1. **Use Managed Identity** instead of storage keys 2. **Enable CDN HTTPS** with custom domain 3. **Set up monitoring** for CDN usage 4. **Configure alerts** for quota limits 5. **Use Azure Key Vault** for secrets ## Next Steps After setup: 1. ✅ Verify files are accessible 2. ✅ Update manifest templates 3. ✅ Test credential issuance 4. ✅ Monitor CDN usage 5. ✅ Set up custom domain (optional) --- **Last Updated**: [Current Date] **Status**: Ready for deployment