Accessing public images from Content Hub might fail with the following error when using a CDN on top of Sitecore Content Hub CDN:
A network error occurred
Access denied
You do not have access to
[your_website]
The site owner might have set restrictions that prevent you from accessing the site.
...
Error 1000: DNS points to prohibited IP
For example, when an end user sends a request to the Content Hub endpoint, the CDN provider checks if the request has been already cached. If not, the request is forwarded to Sitecore’s CDN changing the originating IP address to an IP address of the CDN provider used by the customer. When the request reaches Sitecore perimeter security tool, the security tool checks the validity of the request. If the request is found malicious, it blocks the IP address that has sent this request. In this case, since the originating IP has been replaced by the intermediate CDN IP, the IP of the CDN provider gets blocked. Consequently, all the requests coming from this CDN Provider IP will no longer have access to Content Hub. They can include both malicious requests, as well as valid requests originating from our customers.
As a solution, consider creating your own custom rules and ensure to include the X-Forwarded-For header in the Headers of the forwarded requests. The header must be populated with the Client’s originating IP. Note that X-Forwarded-For configuration must be done by default when having a CDN on top of Content Hub, not only when the issue occurs.
The configuration must take place on the custom CDN side, and it is recommended to consult with your internal security team on how to put these changes in place.