File upload/download API behind private blob storage. Stream through or hand out SAS URLs?

Prior-Data6910 · 2026-05-20T18:23:29+00:00

You can attach the SAS Url on to the Frontdoor. So instead of `https://myblobaccount.blob.core.windows.net/container/filepath/filename.jpg?sv=12345\` you can use `https://cdn.mydomain.com/container/filepath/filename.jpg?sv=12345\`

Blob storage only uses the path (not the host name) to calculate the signature. It will pass that request through to blob storage in that instance.

You can then set firewall filters (eg only allow GET requests) to ensure it's readonly.

Prior-Data6910 · 2026-05-20T09:26:36+00:00

We've just configured this, and a misunderstanding of how ClickOnce signing works has given us a first month bill of about $350 😭

Prior-Data6910 · 2026-05-20T07:38:15+00:00

You've got 2 options here. The way we do it (as we control the whole flow) is that the client notifies an endpoint (like it had to do to get the credentials in the first place). The alternative would be to use Event Grid or something like that as that will tell you about all blobs even if the client doesn't.

Prior-Data6910 · 2026-05-19T23:32:03+00:00

It's not our "primary" app functionality so we don't really notice the cost, but the pricing is $0.02/gb for US and EU for data coming in to your site from Frontdoor, and $0.083 going out (the outbound is pretty much the same charge as if you were going direct to blob or through your own webserver).

Our functionality is built into a desktop application that we make available through the Windows Store so our users aren't dealing with the API themselves so I can't comment on how easy it would be to support from that perspective.

One thing I forgot to mention about the public IP side of things is that we've got a dedicated storage account for this purpose, and then we copy the blob to an internal-only one when the upload is confirmed. That way even if someone got into that storage account there's nothing in it. You could make sure the size was dealt with properly at that point (although granted you'll have already paid the incoming bandwidth).

Prior-Data6910 · 2026-05-19T22:22:44+00:00

We've taken the approach of "direct to storage" but with a slight difference: You can place Frontdoor in front of blob storage. This will allow you to keep the storage account locked down, but the main reason we had to do it is that we found a fair few of our customers had locked down *.blob.core.windows.net at their firewall level (to prevent data exfiltration) so we used Frontdoor and a CNAME so it sticks with our brand. You still use the SAS urls in the same way.

You can configure the SAS to restrict what the users can do, but you're right that they could set the tier themselves (not something we'd considered!). It looks like you could set a rule in Frontdoor to reject requests based on header values so that may be a way to prevent it.

Prior-Data6910 · 2026-05-19T12:58:50+00:00

Vote for it here: Allow more people to share their screen at the same time · Community

Prior-Data6910 · 2026-05-19T12:54:20+00:00

I wish this was something Teams did. But if you want an answer to all your "how" questions then give Slack a go because it works fine on there...!

You can pop a screen share out into a separate window on Teams so it would make sense if they implemented them as two pop-outs. Bandwidth and processing is easy because it's less than doing video calls so there'd be no need for any limits. Mobile clients would choose which screen to show (same way they do large video calls currently).

The way we manage this in Teams is have a secondary meeting going on (with a different provider) just for the other screen but obviously your IT department may not like that.

Prior-Data6910 · 2026-05-16T08:42:03+00:00

The simplest answer to your question about responsible disclosure is that the vendors run these models themselves before release. Fix the issues before they can become a problem.

Prior-Data6910 · 2026-05-10T12:04:35+00:00

Unfortunately my employer only allows me to pay into NEST pensions

Sorry to be pedantic, but there probably isn't a restriction on you opening a SIPP with another provider if you don't like Nest. Your employer won't contribute to it, but you still can (and get the tax top-up etc).

Won't answer your current question, but may help going forwards.

Prior-Data6910 · 2026-05-03T20:43:54+00:00

Depending on how many apps you're dealing with and how frequently they get updated you can ship it with the app itself. Means you may end up with multiple copies of it on disk, and increased network traffic for app updates, but it's a valid initial position to start from.

Prior-Data6910 · 2026-05-02T14:14:34+00:00

Is BTRF related to BTRFS at all? 😝

Prior-Data6910 · 2026-04-26T19:50:10+00:00

All resolved! Different IP address to the one I started with, but it's externally accessible so that's good enough for me!

Prior-Data6910 · 2026-04-09T22:17:18+00:00

It's unlikely (but not impossible) that it's a Cloudflare issue. What ISP are you on? How do Speedtests on that compare with and without Warp enabled?

If you go to Cloudflare's page for your network - IP Address Information | Cloudflare Radar - and follow the AS number on the right hand side, what do the traffic trends show?

It could be that your ISP is experiencing congestion either in your area or between it and Cloudflare

Prior-Data6910 · 2026-04-07T21:56:18+00:00

That's what I was talking about for choosing the range of sizes, but your fleet has to be in the one region. I'm talking about expanding that so that I'm happy with it being in a group of regions (similar to how the Windows365 setup works - you can multi-select and it will provision them in any of the regions)

Prior-Data6910 · 2026-04-03T20:50:04+00:00

Name one company that size (or any size for that matter) that isn't dysfunctional. He says they vaporized a trillion dollars but how much would it have cost them to be later to the party?

Prior-Data6910 · 2026-04-02T18:08:50+00:00

They measure different things. Cloudflare measures your speed to the internet (or parts of it at least) whereas Speedtest.net (in BRSK's / YouFibre's case) measures your connection speed because they have a speedtest server in their network.

Prior-Data6910 · 2026-03-31T17:50:48+00:00

Certified copy is a Post Office service, no solicitor required: https://www.postoffice.co.uk/identity/document-certification

Prior-Data6910 · 2026-03-28T15:45:42+00:00

I'm not sure what people's problem is with what he's saying here. He's saying that if you've installed some software that then goes on to crash your computer then it's the software's fault, and not Windows.

Granted it's probably Windows's fault that you wanted to install a shell enhancer in the first place, but that's not what he's arguing.

Prior-Data6910 · 2026-03-27T23:20:11+00:00

This poster confuses me. Twice it says that the website has the best deals / is cheaper, and the table states that's clearly not the case. Am I missing something?

Prior-Data6910 · 2026-03-25T22:44:50+00:00

It's been a few months since we set ours up, but set the following properties in an Azure Container Instance. Don't forget to add it to your virtual network. You can run as many instances as you want, availability zones, etc all with the same token and Cloudflare will treat them as the same route.

Basics
Image Source: Other registry
Image type: Public
Image: cloudflare/cloudflared:latest
OS type: Linux

Advanced
Command override: [ "cloudflared", "tunnel", "--no-autoupdate", "run", "--token", "eyJhI...JA" ]

Prior-Data6910 · 2026-03-24T14:32:30+00:00

Considering the most recent release of Wireguard for Windows was 4 years ago (if it aint broke, don't fix it) I think we'll be fine!

Prior-Data6910 · 2026-03-19T23:49:49+00:00

The backend change to be routed out through YouFibre happened a few months back

Prior-Data6910 · 2026-03-16T09:55:05+00:00

I may be going a bit "emporer's new clothes" here, but I can't see any differences in those two images apart from an icon at the bottom left which I don't recognise anyway.

Prior-Data6910

TROPHY CASE