Azure Classroom Series – 01/Sept/2020

Storage account network access

  • By default storage account is exposed over http(s) and access is given to the internet-facing storage endpoints Preview
  • Since this is internet facing endpoint of storage account must be secured, To do this Azure gives us two options at the network-access level
    1. Storage firewall
    2. Service Endpoints
  • Azure also gives two options for application-level controls
    1. Access Keys
    2. Shared Access Signature

Storage Firewall

  • This can control which IP Address and virtual networks can access storage account
  • Open storage account & select Firewall & Virtual Networks Preview
  • Azure gives options to select virtual networks from which the storage account can be accessed and also gives a firewall which gives access to only specific Public IP Address range. Preview

Virtual Network Service Endpoints

  • In Some Scenarios,

    • a storage might be accessed only with in azure from one or some virtual networks
    • From On-premise you might be accessing the storage account and we already have vpn/express route configured Preview Preview Preview
  • You can use private endpoints for your azure storage accounts for your clients on virtual networks (VNet) to securely access data over a private link Preview

Blob Storage access levels

  • Lets write access levels
    • No Public read access
    • Public read-only access for blobs only
    • Full public read-only access
  • Changing access levels can be done from configuration page Preview
  • Lets create a storage account & with in this create a container with no public access.
  • Upload some blobs and then try to access over internet Preview
  • Scenario: We have an application which should be able to access blobs in the container created. This application is running on premise. How can i give access to this application?
  • To solve this scenario we need to understand
    • Shared Access Signature Token (SAS token)
    • Access Keys
  • SAS Token is a URI query string parameter that grants access to specific container, blobs, queues and tables.
  • Use a SAS token to grant access to a client that should have access to entire contents of storage account.
  • Generate a SAS copy the sas token parameter and add it to the HTTP uri of your blob item Preview Preview Preview Preview

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin