I recently migrated a rather large website to Azure.
I know it is not the best practice, but the site is configured to store confidential files within the content folder, which was configured as deny all in IIS.
However, when I try to add a web.config in said folder, Azure just ignores the deny entry when accessing files directly. I have tried different combinations of configs, nothing gives.
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
</authorization>
</security>
</system.webServer>
and
<security>
<ipSecurity allowUnlisted="false">
</ipSecurity>
</security>
However, if I upload an invalid web.config to the folder, the site throws an error and nothing is served.
You are going to have to move those files off the instance and put them somewhere else (blob storage is a good choice).
What you are doing won’t work well at all in a web farm scenario. Storing files on a single instance for a web site is unworkable for webfarms without some really crazy workarounds. Although you could technically do this with a single persistent VM, you won’t have a very scalable website running on a single instance.
Copy the files into blob storage and replace the direct calls to them with a method that checks security first and then streams and/or generates a SAS signature for the blob in storage.