# Azure CDN Setup for Credential Seals

**Last Updated**: 2025-01-27  
**Status**: Complete and Operational

## Overview

Complete guide for setting up Azure CDN infrastructure for Order of St John credential seal images. This setup provides high-performance, globally distributed hosting for credential images used in Entra VerifiedID credentials.

## Quick Start

**One-Command Setup:**
```bash
./scripts/deploy/setup-azure-cdn-complete.sh
```

This automates:
1. ✅ Azure quota checking
2. ✅ Infrastructure creation (Storage Account, Container, CDN Profile, Endpoint)
3. ✅ File upload (all seal PNG files)
4. ✅ Manifest URL updates

## Prerequisites

1. **Azure CLI installed**
   ```bash
   # Install Azure CLI
   curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
   ```

2. **Logged in to Azure**
   ```bash
   az login
   az account set --subscription <subscription-id>
   ```

3. **Required Permissions**
   - Contributor or Owner role on subscription
   - Storage Account Contributor
   - CDN Contributor

## Architecture

```
Azure Subscription
├── Resource Group: theorder-rg-dev
├── Storage Account: theordercdn12439 (or similar)
│   └── Container: images (public blob access)
├── CDN Profile: theorder-cdn-dev-profile
│   └── CDN Endpoint: theorder-cdn-dev-endpoint
│       └── Origin: Storage Account blob endpoint
```

## Manual Setup Steps

### Step 1: Check Azure Quotas

```bash
./infra/scripts/azure-check-cdn-quotas.sh
```

This checks:
- Storage accounts quota
- CDN profiles quota
- CDN endpoints quota
- Resource group limits

### Step 2: Create Infrastructure

```bash
./infra/scripts/azure-cdn-setup.sh
```

This creates:
- Storage account with public blob access
- Storage container named "images"
- CDN profile (Standard_Microsoft SKU)
- CDN endpoint pointing to storage account

### Step 3: Upload Seal Images

```bash
./scripts/deploy/upload-seals-to-azure.sh
```

Uploads all PNG seal files to the storage container.

### Step 4: Update Manifest URLs

```bash
./scripts/deploy/update-manifest-seal-urls.sh
```

Updates all manifest templates with CDN URLs.

## Configuration

### Storage Account Settings

- **Account Tier**: Standard
- **Replication**: LRS (dev/stage), GRS (production)
- **Public Access**: Enabled (for CDN)
- **TLS Version**: TLS 1.2 minimum

### CDN Settings

- **SKU**: Standard_Microsoft
- **HTTPS**: Enabled
- **Compression**: Enabled
- **Caching**: Optimized for static content

### CORS Configuration

```bash
az storage cors add \
  --services b \
  --methods GET HEAD \
  --origins "*" \
  --allowed-headers "*" \
  --exposed-headers "*" \
  --max-age 3600
```

## URLs

### Direct Blob Storage URL
```
https://<storage-account>.blob.core.windows.net/images/<seal-file>.png
```

### CDN URL (Recommended)
```
https://<cdn-endpoint>.azureedge.net/images/<seal-file>.png
```

### Current Configuration
- **Storage Account**: `theordercdn12439`
- **CDN Endpoint**: `theordercdn12439.azureedge.net`
- **Base URL**: `https://theordercdn12439.blob.core.windows.net/images/`

## Seal Files

### Available Seals
1. `digital-bank-seal.png` - Digital Bank of International Settlements
2. `iccc-seal.png` - International Criminal Court of Commerce
3. `iccc-provost-marshals-seal.png` - ICCC Provost Marshals
4. `diplomatic-security-seal.png` - Diplomatic Security Service
5. `legal-office-seal.png` - Legal Office of the Master

### File Sizes
- 200x200px: For credential logos (default)
- 400x400px: High-resolution displays
- 800x800px: Print/embossing

## Troubleshooting

### CDN Not Propagating
- CDN propagation can take 10-60 minutes
- Use direct blob URL as fallback
- Check CDN endpoint status: `az cdn endpoint show`

### Access Denied
- Verify container access type is "blob" (public)
- Check storage account public access is enabled
- Verify CORS configuration

### Quota Exceeded
- Review quota report: `azure-cdn-quota-report.txt`
- Request quota increase via Azure portal
- Consider using existing storage account

## Maintenance

### Update Seal Images
1. Convert new SVG to PNG: `./scripts/tools/convert-svg-to-png.sh`
2. Upload to Azure: `./scripts/deploy/upload-seals-to-azure.sh`
3. Update manifests: `./scripts/deploy/update-manifest-seal-urls.sh`

### Monitor Usage
```bash
az storage account show-usage \
  --name <storage-account> \
  --resource-group <resource-group>
```

### Cost Optimization
- Use LRS for dev/stage (lower cost)
- Enable CDN compression
- Set appropriate cache headers
- Monitor and optimize file sizes

## Security

- ✅ HTTPS only (CDN enforces)
- ✅ CORS configured
- ✅ Public read-only access
- ✅ No write access from public
- ✅ Storage account firewall (optional)

## Related Documentation

- [Entra VerifiedID Setup](./entra-verifiedid.md)
- [Deployment Overview](../overview.md)
- [Seal Design Guide](../../design/ORDER_SEALS_DESIGN_GUIDE.md)

---

**Note**: This guide consolidates information from multiple Azure CDN setup files. Historical setup documents have been archived in `docs/archive/deployment/azure-cdn/`.