the_order/docs/deployment/AZURE_CDN_SETUP.md

Azure CDN Setup for Credential Seals

Complete guide for setting up Azure CDN infrastructure for Order of St John credential seal images.

Quick Start

One-Command Setup:

./scripts/deploy/setup-azure-cdn-complete.sh

This automates:

1. ✅ Quota checking
2. ✅ Infrastructure creation
3. ✅ File upload
4. ✅ Manifest URL updates

Prerequisites

1. Azure CLI installed

   # Install Azure CLI
   curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
   

2. Logged in to Azure

   az login
   az account set --subscription <subscription-id>
   

3. Required Permissions

   • Contributor or Owner role on subscription
   • Ability to create resource groups
   • Ability to create storage accounts
   • Ability to create CDN profiles

Step-by-Step Setup

Step 1: Check Quotas

./infra/scripts/azure-check-cdn-quotas.sh

This checks:

• Storage account quota
• CDN profile quota
• Resource group quota
• CDN endpoint quota

Output: azure-cdn-quota-report.txt

Step 2: Set Up Infrastructure

./infra/scripts/azure-cdn-setup.sh

This creates:

• Resource group: the-order-cdn-rg
• Storage account: theordercdn<timestamp>
• Storage container: images (public blob access)
• CDN profile: theorder-cdn-profile
• CDN endpoint: theorder-cdn-endpoint

Output: azure-cdn-config.env

Step 3: Upload Files

./scripts/deploy/upload-seals-to-azure.sh

Uploads all PNG files to Azure Blob Storage.

Step 4: Update Manifest URLs

source azure-cdn-config.env
CDN_BASE_URL="${CDN_BASE_URL_CDN}" ./scripts/deploy/update-manifest-seal-urls.sh

Infrastructure Components

Storage Account

• Name: theordercdn<timestamp> (globally unique)
• SKU: Standard_LRS
• Public Access: Enabled for blob access
• CORS: Configured for GET, HEAD, OPTIONS

Storage Container

• Name: images
• Access Type: Blob (public read access)
• Purpose: Store credential seal PNG files

CDN Profile

• Name: theorder-cdn-profile
• SKU: Standard_Microsoft
• Purpose: CDN profile for image delivery

CDN Endpoint

• Name: theorder-cdn-endpoint
• Origin: Storage account blob host
• Compression: Enabled (gzip, deflate)
• Cache: 1 day default

Configuration File

After setup, azure-cdn-config.env contains:

# Storage Account
AZURE_STORAGE_ACCOUNT=theordercdn123456
AZURE_STORAGE_KEY=<key>
AZURE_STORAGE_CONTAINER=images
AZURE_RESOURCE_GROUP=the-order-cdn-rg
AZURE_LOCATION=westeurope

# CDN
AZURE_CDN_PROFILE=theorder-cdn-profile
AZURE_CDN_ENDPOINT=theorder-cdn-endpoint
AZURE_CDN_ENDPOINT_URL=<endpoint-url>

# URLs
CDN_BASE_URL_BLOB=https://theordercdn123456.blob.core.windows.net/images/
CDN_BASE_URL_CDN=https://<endpoint>.azureedge.net/images/
CDN_BASE_URL=${CDN_BASE_URL_CDN:-${CDN_BASE_URL_BLOB}}

URLs

Blob Storage URL (Immediate)

https://<storage-account>.blob.core.windows.net/images/

CDN URL (After Propagation)

https://<cdn-endpoint>.azureedge.net/images/

Note: CDN endpoint takes 10-15 minutes to fully propagate.

Quota Requirements

Minimum quotas needed:

• Storage Accounts: 1 available
• CDN Profiles: 1 available
• CDN Endpoints: 1 available per profile
• Resource Groups: 1 available

Cost Estimation

Approximate monthly costs (West Europe):

• Storage Account: ~$0.02/GB/month
• CDN Profile: ~$0.04/GB egress
• Blob Storage: ~$0.0004/GB/month

For credential images (~17 files, ~200KB each = ~3.4MB total):

• Storage: ~$0.0001/month
• CDN: Depends on traffic (first 5GB free/month)

Total: ~$0-5/month depending on traffic

Terraform Option

Alternatively, use Terraform:

cd infra/terraform
terraform init
terraform plan -target=azurerm_storage_account.cdn_images
terraform apply -target=azurerm_storage_account.cdn_images

Verification

Check Storage Account

az storage account show \
  --name <storage-account> \
  --resource-group the-order-cdn-rg

Check Container

az storage container show \
  --name images \
  --account-name <storage-account> \
  --account-key <key>

Check CDN Endpoint

az cdn endpoint show \
  --name theorder-cdn-endpoint \
  --profile-name theorder-cdn-profile \
  --resource-group the-order-cdn-rg

Test File Access

curl -I https://<storage-account>.blob.core.windows.net/images/digital-bank-seal.png

Troubleshooting

Quota Exceeded

• Request quota increase: https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade
• Or use existing storage account

Storage Account Name Taken

• Script auto-generates unique name with timestamp
• Or specify: AZURE_STORAGE_ACCOUNT=<custom-name>

CDN Endpoint Not Ready

• Wait 10-15 minutes for propagation
• Check status in Azure Portal
• Use blob URL temporarily

Files Not Accessible

• Verify container has public blob access
• Check CORS configuration
• Verify file upload succeeded

Security

• HTTPS: All URLs use HTTPS
• Public Access: Only blob read access (no write)
• CORS: Configured for cross-origin requests
• Storage Key: Keep secure, use managed identity in production

Production Recommendations

1. Use Managed Identity instead of storage keys
2. Enable CDN HTTPS with custom domain
3. Set up monitoring for CDN usage
4. Configure alerts for quota limits
5. Use Azure Key Vault for secrets

Next Steps

After setup:

1. ✅ Verify files are accessible
2. ✅ Update manifest templates
3. ✅ Test credential issuance
4. ✅ Monitor CDN usage
5. ✅ Set up custom domain (optional)

---

Last Updated: [Current Date]
Status: Ready for deployment