d-bis/the_order
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
the_order/docs/deployment/azure/cdn-setup.md
defiQUG 6a8582e54d feat: comprehensive project structure improvements and Cloud for Sovereignty landing zone 
- Add Cloud for Sovereignty landing zone architecture and deployment
- Implement complete legal document management system
- Reorganize documentation with improved navigation
- Add infrastructure improvements (Dockerfiles, K8s, monitoring)
- Add operational improvements (graceful shutdown, rate limiting, caching)
- Create comprehensive project structure documentation
- Add Azure deployment automation scripts
- Improve repository navigation and organization
2025-11-13 09:32:55 -08:00

5.0 KiB
Raw Permalink Blame History

Azure CDN Setup for Credential Seals

Last Updated: 2025-01-27
Status: Complete and Operational

Overview

Complete guide for setting up Azure CDN infrastructure for Order of St John credential seal images. This setup provides high-performance, globally distributed hosting for credential images used in Entra VerifiedID credentials.

Quick Start

One-Command Setup:

./scripts/deploy/setup-azure-cdn-complete.sh

This automates:

  1. Azure quota checking
  2. Infrastructure creation (Storage Account, Container, CDN Profile, Endpoint)
  3. File upload (all seal PNG files)
  4. Manifest URL updates

Prerequisites

  1. Azure CLI installed

    # Install Azure CLI
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

  2. Logged in to Azure

    az login
az account set --subscription <subscription-id>

  3. Required Permissions

    • Contributor or Owner role on subscription
    • Storage Account Contributor
    • CDN Contributor

Architecture

Azure Subscription
├── Resource Group: theorder-rg-dev
├── Storage Account: theordercdn12439 (or similar)
│   └── Container: images (public blob access)
├── CDN Profile: theorder-cdn-dev-profile
│   └── CDN Endpoint: theorder-cdn-dev-endpoint
│       └── Origin: Storage Account blob endpoint

Manual Setup Steps

Step 1: Check Azure Quotas

./infra/scripts/azure-check-cdn-quotas.sh

This checks:

  • Storage accounts quota
  • CDN profiles quota
  • CDN endpoints quota
  • Resource group limits

Step 2: Create Infrastructure

./infra/scripts/azure-cdn-setup.sh

This creates:

  • Storage account with public blob access
  • Storage container named "images"
  • CDN profile (Standard_Microsoft SKU)
  • CDN endpoint pointing to storage account

Step 3: Upload Seal Images

./scripts/deploy/upload-seals-to-azure.sh

Uploads all PNG seal files to the storage container.

Step 4: Update Manifest URLs

./scripts/deploy/update-manifest-seal-urls.sh

Updates all manifest templates with CDN URLs.

Configuration

Storage Account Settings

  • Account Tier: Standard
  • Replication: LRS (dev/stage), GRS (production)
  • Public Access: Enabled (for CDN)
  • TLS Version: TLS 1.2 minimum

CDN Settings

  • SKU: Standard_Microsoft
  • HTTPS: Enabled
  • Compression: Enabled
  • Caching: Optimized for static content

CORS Configuration

az storage cors add \
  --services b \
  --methods GET HEAD \
  --origins "*" \
  --allowed-headers "*" \
  --exposed-headers "*" \
  --max-age 3600

URLs

Direct Blob Storage URL

https://<storage-account>.blob.core.windows.net/images/<seal-file>.png

CDN URL (Recommended)

https://<cdn-endpoint>.azureedge.net/images/<seal-file>.png

Current Configuration

  • Storage Account: theordercdn12439
  • CDN Endpoint: theordercdn12439.azureedge.net
  • Base URL: https://theordercdn12439.blob.core.windows.net/images/

Seal Files

Available Seals

  1. digital-bank-seal.png - Digital Bank of International Settlements
  2. iccc-seal.png - International Criminal Court of Commerce
  3. iccc-provost-marshals-seal.png - ICCC Provost Marshals
  4. diplomatic-security-seal.png - Diplomatic Security Service
  5. legal-office-seal.png - Legal Office of the Master

File Sizes

  • 200x200px: For credential logos (default)
  • 400x400px: High-resolution displays
  • 800x800px: Print/embossing

Troubleshooting

CDN Not Propagating

  • CDN propagation can take 10-60 minutes
  • Use direct blob URL as fallback
  • Check CDN endpoint status: az cdn endpoint show

Access Denied

  • Verify container access type is "blob" (public)
  • Check storage account public access is enabled
  • Verify CORS configuration

Quota Exceeded

  • Review quota report: azure-cdn-quota-report.txt
  • Request quota increase via Azure portal
  • Consider using existing storage account

Maintenance

Update Seal Images

  1. Convert new SVG to PNG: ./scripts/tools/convert-svg-to-png.sh
  2. Upload to Azure: ./scripts/deploy/upload-seals-to-azure.sh
  3. Update manifests: ./scripts/deploy/update-manifest-seal-urls.sh

Monitor Usage

az storage account show-usage \
  --name <storage-account> \
  --resource-group <resource-group>

Cost Optimization

  • Use LRS for dev/stage (lower cost)
  • Enable CDN compression
  • Set appropriate cache headers
  • Monitor and optimize file sizes

Security

  • HTTPS only (CDN enforces)
  • CORS configured
  • Public read-only access
  • No write access from public
  • Storage account firewall (optional)

Related Documentation

Note: This guide consolidates information from multiple Azure CDN setup files. Historical setup documents have been archived in docs/archive/deployment/azure-cdn/.

Reference in New Issue View Git Blame Copy Permalink