← Back to Dashboard

Design 1: Global Static Brand Site (Serverless)

Summary

This design hosts a "Coming Soon" or Brand website using Azure Storage (Static Website) and Azure CDN.

Topology: The Storage Account sits in a Spoke VNet (secured via Private Endpoint). Public access is restricted to the CDN only.

1. Key Design Decisions (ADR)

ADR-01: Hosting

  • Decision: Azure Storage Static Website.
  • Rationale: Cheapest option ({CONTENT}.02/GB). No server patching.

ADR-02: Security

  • Decision: Private Link + CDN.
  • Rationale: Storage is not exposed to the public internet directly. Users go through CDN (Edge).

2. High-Level Design (HLD)

+--------------+           +--------------------------+           +--------------+
|  Global User |           |        HUB VNet          |           |  SPOKE VNet  |
|  (Browser)   |           |      (DNS Resolver)      |           |  (Content)   |
+------+-------+           +------------+-------------+           +------+-------+
       |                                |                                |
       v                                | (Peering)                      |
+------+-------+                        v                                v
|  Azure CDN   |           +------------+-------------+           +------+-------+
|  (Edge)      |---------->| Private DNS Zone         |<--------->|  Storage     |
+--------------+           | (privatelink.web.core)   |           |  Account     |
                           +--------------------------+           +------+-------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)                                      |
|   +-----------------------+                                           |
|   | Private DNS Zone      |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (Peering)                                             |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-static-spoke (10.1.0.0/16)                           |
|   +-----------------------+                                           |
|   | Subnet: PrivateLink   |                                           |
|   | [Private Endpoint]    |                                           |
|   | (10.1.1.5)            |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v                                                       |
|   +-----------------------+                                           |
|   | Storage Account       |                                           |
|   | (Blob Service)        |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

                               SECONDARY REGION (West US)
+-----------------------------------------------------------------------+
| DR STRATEGY                                                           |
|   +-----------------------+                                           |
|   | Storage Account (DR)  |                                           |
|   | (RA-GRS Replica)      |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

4. Component Rationale

  • Azure CDN: Caches content globally. Reduces load on Storage.
  • RA-GRS: Read-Access Geo-Redundant Storage. Allows reading from West US if East US fails.

5. Strategy: High Availability (HA)

  • CDN: 99.9% SLA.
  • Storage: 99.99% SLA.

6. Strategy: Disaster Recovery (DR)

  • Implementation: RA-GRS.
  • Process:

* Primary Region (East) goes down.

* Update CDN Origin to point to Secondary Region (West) endpoint.

7. Strategy: Backup

  • Data: Soft Delete (7 days) + Versioning.

8. Strategy: Security

  • Network: Storage Firewall set to "Deny All" except Private Endpoint.

9. Well-Architected Framework Analysis

  • Reliability: High.
  • Security: High.
  • Cost Optimization: Excellent. Extremely cheap.
  • Operational Excellence: High.
  • Performance Efficiency: Excellent. CDN offloads traffic.

10. Detailed Traffic Flow

1. User: Requests www.contoso.com.

2. CDN: Serves from Edge Cache.

3. Miss: If cache miss, CDN requests Origin.

4. Origin: Requests Storage Account via Private Link.

5. Serve: Content returned.

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Create Resource Group

1. Search: "Resource groups" -> + Create.

2. Subscription: Select yours.

3. Resource group: rg-design01-static.

4. Region: East US.

5. Review + create -> Create.

Phase 2: Create Spoke VNet

1. Search: "Virtual networks" -> + Create.

2. Resource group: rg-design01-static.

3. Name: vnet-static-spoke.

4. Region: East US.

5. IP Addresses:

* Delete default.

* Add IPv4 address space: 10.1.0.0/16.

* Add Subnet: Name snet-privatelink, Range 10.1.1.0/24.

6. Review + create -> Create.

7. Peering:

* Go to vnet-static-spoke -> Peerings -> + Add.

* Remote virtual network: vnet-hub (from Design 5).

* Name: Spoke-to-Hub.

* Allow gateway transit: Unchecked (unless needed).

* Add.

Phase 3: Create Storage Account

1. Search: "Storage accounts" -> + Create.

2. Resource group: rg-design01-static.

3. Name: stbrandcorp[unique_id] (e.g., stbrandcorp123).

4. Region: East US.

5. Performance: Standard.

6. Redundancy: Read-access geo-redundant storage (RA-GRS).

7. Review -> Create.

Phase 4: Enable Static Website

1. Go to the new Storage Account.

2. Data management menu -> Static website.

3. Enabled: Enabled.

4. Index document name: index.html.

5. Error document path: 404.html.

6. Save.

7. Upload Content:

* Go to Containers -> $web.

* Upload a simple index.html file.

Phase 5: Secure with Private Link

1. Go to Networking -> Firewalls and virtual networks.

2. Public network access: Enabled from selected virtual networks and IP addresses.

3. Firewall: Add your Client IP (to allow you to upload/manage). Save.

4. Go to Private endpoint connections -> + Private endpoint.

5. Resource group: rg-design01-static.

6. Name: pe-storage-web.

7. Target sub-resource: web.

8. Virtual Network: vnet-static-spoke.

9. Subnet: snet-privatelink.

10. DNS integration: Yes, privatelink.web.core.windows.net.

11. Create.

Phase 6: Create Azure CDN (Standard)

1. Search: "Front Door and CDN profiles" -> + Create.

2. Select: Azure CDN Standard from Microsoft (classic).

3. Resource group: rg-design01-static.

4. Name: cdn-brand-corp.

5. Endpoint:

* Name: brand-corp-global.

* Origin type: Storage Static Website.

* Origin hostname: Select your storage account's static web URL.

6. Create.

*Note: For strict private link only access, you would need Azure Front Door Premium. For this design, we restrict Storage access to "Selected Networks" and allow the CDN.*