Storage account network access
- By default storage account is exposed over http(s) and access is given to the internet-facing storage endpoints
- Since this is internet facing endpoint of storage account must be secured, To do this Azure gives us two options at the network-access level
- Storage firewall
- Service Endpoints
- Azure also gives two options for application-level controls
- Access Keys
- Shared Access Signature
- This can control which IP Address and virtual networks can access storage account
- Open storage account & select Firewall & Virtual Networks
- Azure gives options to select virtual networks from which the storage account can be accessed and also gives a firewall which gives access to only specific Public IP Address range.
Virtual Network Service Endpoints
In Some Scenarios,
- a storage might be accessed only with in azure from one or some virtual networks
- From On-premise you might be accessing the storage account and we already have vpn/express route configured
You can use private endpoints for your azure storage accounts for your clients on virtual networks (VNet) to securely access data over a private link
Blob Storage access levels
- Lets write access levels
- No Public read access
- Public read-only access for blobs only
- Full public read-only access
- Changing access levels can be done from configuration page
- Lets create a storage account & with in this create a container with no public access.
- Upload some blobs and then try to access over internet
- Scenario: We have an application which should be able to access blobs in the container created. This application is running on premise. How can i give access to this application?
- To solve this scenario we need to understand
- Shared Access Signature Token (SAS token)
- Access Keys
- SAS Token is a URI query string parameter that grants access to specific container, blobs, queues and tables.
- Use a SAS token to grant access to a client that should have access to entire contents of storage account.
- Generate a SAS copy the sas token parameter and add it to the HTTP uri of your blob item