Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Azure CDN is the Microsoft Azure content delivery network that caches and serves static assets and dynamic responses from edge nodes worldwide.
Azure CDN is the Microsoft Azure content delivery network. It pulls assets from your origin (Azure Storage, App Service or any HTTP origin) and serves them from a network of edge points of presence worldwide, including multiple cities in the EU. Microsoft also offers Azure Front Door, a higher level edge service that combines CDN, WAF, load balancing and routing.
A typical CDN request handles the visitor IP address, the HTTP user agent, the requested URL, referer, country (derived from IP geolocation) and any cookies the origin already set on your domain. Azure CDN does not on its own deposit tracking cookies, but it logs requests in diagnostic logs and metrics. The Rules Engine can transform headers or set custom cookies; those become part of your processing.
IP addresses and request metadata processed by Azure CDN are personal data under the GDPR. The activity is strictly necessary for delivering the website, so legitimate interest typically applies and no consent is required. The ePrivacy Directive only enters the picture if you deliberately configure the CDN to set cookies (eg session affinity, A/B test bucket), in which case the consent regime that applies to the cookie applies.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Legitimate interest covers the strictly necessary CDN delivery. Contract performance applies when Azure CDN powers a paid product. Any non essential cookie added via the Rules Engine needs its own basis, typically consent. Document the role of Azure CDN as a sub processor under the Microsoft Online Services DPA.
Microsoft Azure has many EU points of presence (Amsterdam, Paris, Frankfurt, Madrid, Stockholm and more). The visitor request is normally served from the nearest PoP. However Microsoft Corporation, headquartered in Redmond, USA, is the controller of the diagnostic data and may access logs from the US for support purposes. Transfers are covered by the EU US Data Privacy Framework and Microsoft Online Services Standard Contractual Clauses.
Configure your Azure CDN profile to use EU regions for diagnostic logs. Enable Private Link from origin to the CDN. Avoid Rules Engine cookies unless strictly needed; if used, list them in the cookie policy. Limit access log retention to what is necessary for security and billing, ideally less than 30 days. Sign the Microsoft Online Services DPA and document the CDN in your records of processing activities.
Websites using Azure CDN must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is typically not required for plain content delivery, but is recommended when Azure CDN routing rules or rules engine alter responses based on IP or fingerprint, or when access logs are fed into a profiling pipeline.
Sample consent text
We rely on Azure CDN to deliver static assets from a fast edge node near you. No tracking cookies are set; only an IP address and a user agent are processed for routing and security. This is part of the strictly necessary delivery of the website.
Third-party domains contacted
azureedge.netazurefd.netmsecnd.netazurewebsites.netThis service may collect user data. Ensure GDPR compliance with FlowConsent.
By default, Azure CDN does not set tracking cookies. Any cookie returned to the user comes from your origin or from a Rules Engine action you configured (eg session affinity).
No, when the CDN simply delivers your website assets and processes IP addresses for routing and security, legitimate interest applies. Consent only becomes necessary if you deliberately set cookies through the Rules Engine.
Legitimate interest (Art. 6(1)(f) GDPR) for the strictly necessary delivery, or contract performance (Art. 6(1)(b) GDPR) when Azure CDN powers a paid product. Any Rules Engine cookie that goes beyond strict necessity needs its own basis, typically consent.
Microsoft Corporation is US headquartered and may access diagnostic logs from the US for support. Transfers rely on the EU US Data Privacy Framework and the Microsoft Online Services DPA, including Standard Contractual Clauses.
Usually not. A DPIA becomes relevant when Rules Engine rules transform content based on IP or fingerprint, or when access logs are pushed to a profiling pipeline.
Pick EU points of presence and an EU diagnostic log region, set short retention on logs, avoid Rules Engine cookies, sign the Microsoft Online Services DPA and add Azure CDN to your records of processing activities.
EU based alternatives include OVHcloud CDN, Scaleway Edge Services, BunnyCDN (Slovenia), KeyCDN (Switzerland), Gcore (Luxembourg), Akamai EU and Cloudflare (with EU only routing).
If you do not set Rules Engine cookies, you do not need to list Azure CDN in the cookie policy. Mention Microsoft as a sub processor in the privacy policy and disclose the EU US Data Privacy Framework basis for diagnostic data transfers.