Azure Classroom Series – 01/Sept/2020

Storage account network access

  • By default storage account is exposed over http(s) and access is given to the internet-facing storage endpoints Preview
  • Since this is internet facing endpoint of storage account must be secured, To do this Azure gives us two options at the network-access level
    1. Storage firewall
    2. Service Endpoints
  • Azure also gives two options for application-level controls
    1. Access Keys
    2. Shared Access Signature

Storage Firewall

  • This can control which IP Address and virtual networks can access storage account
  • Open storage account & select Firewall & Virtual Networks Preview
  • Azure gives options to select virtual networks from which the storage account can be accessed and also gives a firewall which gives access to only specific Public IP Address range. Preview

Virtual Network Service Endpoints

  • In Some Scenarios,

    • a storage might be accessed only with in azure from one or some virtual networks
    • From On-premise you might be accessing the storage account and we already have vpn/express route configured Preview Preview Preview

  • You can use private endpoints for your azure storage accounts for your clients on virtual networks (VNet) to securely access data over a private link Preview

Blob Storage access levels

  • Lets write access levels
    • No Public read access
    • Public read-only access for blobs only
    • Full public read-only access
  • Changing access levels can be done from configuration page Preview
  • Lets create a storage account & with in this create a container with no public access.
  • Upload some blobs and then try to access over internet Preview
  • Scenario: We have an application which should be able to access blobs in the container created. This application is running on premise. How can i give access to this application?
  • To solve this scenario we need to understand
    • Shared Access Signature Token (SAS token)
    • Access Keys
  • SAS Token is a URI query string parameter that grants access to specific container, blobs, queues and tables.
  • Use a SAS token to grant access to a client that should have access to entire contents of storage account.
  • Generate a SAS copy the sas token parameter and add it to the HTTP uri of your blob item Preview Preview Preview Preview

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Floating Social Media Icons by Acurax Wordpress Designers

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Visit Us On FacebookVisit Us On LinkedinVisit Us On Youtube