d-bis/the_order
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
the_order/docs/deployment/azure/cdn-setup.md
defiQUG 6a8582e54d feat: comprehensive project structure improvements and Cloud for Sovereignty landing zone 
- Add Cloud for Sovereignty landing zone architecture and deployment
- Implement complete legal document management system
- Reorganize documentation with improved navigation
- Add infrastructure improvements (Dockerfiles, K8s, monitoring)
- Add operational improvements (graceful shutdown, rate limiting, caching)
- Create comprehensive project structure documentation
- Add Azure deployment automation scripts
- Improve repository navigation and organization
2025-11-13 09:32:55 -08:00

210 lines
5.0 KiB
Markdown
Raw Permalink Blame History

# Azure CDN Setup for Credential Seals
**Last Updated**: 2025-01-27
**Status**: Complete and Operational
## Overview
Complete guide for setting up Azure CDN infrastructure for Order of St John credential seal images. This setup provides high-performance, globally distributed hosting for credential images used in Entra VerifiedID credentials.
## Quick Start
**One-Command Setup:**
```bash
./scripts/deploy/setup-azure-cdn-complete.sh
```
This automates:
1. ✅ Azure quota checking
2. ✅ Infrastructure creation (Storage Account, Container, CDN Profile, Endpoint)
3. ✅ File upload (all seal PNG files)
4. ✅ Manifest URL updates
## Prerequisites
1. **Azure CLI installed**
```bash
# Install Azure CLI
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
```
2. **Logged in to Azure**
```bash
az login
az account set --subscription <subscription-id>
```
3. **Required Permissions**
- Contributor or Owner role on subscription
- Storage Account Contributor
- CDN Contributor
## Architecture
```
Azure Subscription
├── Resource Group: theorder-rg-dev
├── Storage Account: theordercdn12439 (or similar)
│ └── Container: images (public blob access)
├── CDN Profile: theorder-cdn-dev-profile
│ └── CDN Endpoint: theorder-cdn-dev-endpoint
│ └── Origin: Storage Account blob endpoint
```
## Manual Setup Steps
### Step 1: Check Azure Quotas
```bash
./infra/scripts/azure-check-cdn-quotas.sh
```
This checks:
- Storage accounts quota
- CDN profiles quota
- CDN endpoints quota
- Resource group limits
### Step 2: Create Infrastructure
```bash
./infra/scripts/azure-cdn-setup.sh
```
This creates:
- Storage account with public blob access
- Storage container named "images"
- CDN profile (Standard_Microsoft SKU)
- CDN endpoint pointing to storage account
### Step 3: Upload Seal Images
```bash
./scripts/deploy/upload-seals-to-azure.sh
```
Uploads all PNG seal files to the storage container.
### Step 4: Update Manifest URLs
```bash
./scripts/deploy/update-manifest-seal-urls.sh
```
Updates all manifest templates with CDN URLs.
## Configuration
### Storage Account Settings
- **Account Tier**: Standard
- **Replication**: LRS (dev/stage), GRS (production)
- **Public Access**: Enabled (for CDN)
- **TLS Version**: TLS 1.2 minimum
### CDN Settings
- **SKU**: Standard_Microsoft
- **HTTPS**: Enabled
- **Compression**: Enabled
- **Caching**: Optimized for static content
### CORS Configuration
```bash
az storage cors add \
--services b \
--methods GET HEAD \
--origins "*" \
--allowed-headers "*" \
--exposed-headers "*" \
--max-age 3600
```
## URLs
### Direct Blob Storage URL
```
https://<storage-account>.blob.core.windows.net/images/<seal-file>.png
```
### CDN URL (Recommended)
```
https://<cdn-endpoint>.azureedge.net/images/<seal-file>.png
```
### Current Configuration
- **Storage Account**: `theordercdn12439`
- **CDN Endpoint**: `theordercdn12439.azureedge.net`
- **Base URL**: `https://theordercdn12439.blob.core.windows.net/images/`
## Seal Files
### Available Seals
1. `digital-bank-seal.png` - Digital Bank of International Settlements
2. `iccc-seal.png` - International Criminal Court of Commerce
3. `iccc-provost-marshals-seal.png` - ICCC Provost Marshals
4. `diplomatic-security-seal.png` - Diplomatic Security Service
5. `legal-office-seal.png` - Legal Office of the Master
### File Sizes
- 200x200px: For credential logos (default)
- 400x400px: High-resolution displays
- 800x800px: Print/embossing
## Troubleshooting
### CDN Not Propagating
- CDN propagation can take 10-60 minutes
- Use direct blob URL as fallback
- Check CDN endpoint status: `az cdn endpoint show`
### Access Denied
- Verify container access type is "blob" (public)
- Check storage account public access is enabled
- Verify CORS configuration
### Quota Exceeded
- Review quota report: `azure-cdn-quota-report.txt`
- Request quota increase via Azure portal
- Consider using existing storage account
## Maintenance
### Update Seal Images
1. Convert new SVG to PNG: `./scripts/tools/convert-svg-to-png.sh`
2. Upload to Azure: `./scripts/deploy/upload-seals-to-azure.sh`
3. Update manifests: `./scripts/deploy/update-manifest-seal-urls.sh`
### Monitor Usage
```bash
az storage account show-usage \
--name <storage-account> \
--resource-group <resource-group>
```
### Cost Optimization
- Use LRS for dev/stage (lower cost)
- Enable CDN compression
- Set appropriate cache headers
- Monitor and optimize file sizes
## Security
- ✅ HTTPS only (CDN enforces)
- ✅ CORS configured
- ✅ Public read-only access
- ✅ No write access from public
- ✅ Storage account firewall (optional)
## Related Documentation
- [Entra VerifiedID Setup](./entra-verifiedid.md)
- [Deployment Overview](../overview.md)
- [Seal Design Guide](../../design/ORDER_SEALS_DESIGN_GUIDE.md)
---
**Note**: This guide consolidates information from multiple Azure CDN setup files. Historical setup documents have been archived in `docs/archive/deployment/azure-cdn/`.
Reference in New Issue View Git Blame Copy Permalink