Microsoft Azure Docs

Networking for Azure Storage Blobs

This document provides a comprehensive overview of networking options and best practices for securing and optimizing access to your Azure Storage blobs.

Overview

Azure Blob Storage offers several ways to control network access to your storage accounts, ensuring data privacy and security. These options range from public access to highly restrictive private endpoints.

Key Networking Features

  • Public Access: Allows anonymous read access to blob data. This is generally not recommended for sensitive data.
  • Firewalls and Virtual Networks: Restrict access to your storage account based on IP addresses or virtual network subnets.
  • Service Endpoints: Enhance security by specifying Azure services (like Blob Storage) that are allowed to access your storage account through a secure path over the Azure backbone network.
  • Private Endpoints: Provide a unique private IP address for your storage account within your virtual network, allowing clients on your virtual network to access storage accounts as if they were on-premises. This is the most secure option for private access.
  • Shared Access Signatures (SAS): Provide limited, time-bound, and granular access to individual blobs or containers without exposing account keys.

Configuring Network Access

You can configure network access settings through the Azure portal, Azure CLI, Azure PowerShell, or ARM templates.

Using Azure Portal

Navigate to your storage account in the Azure portal. Under the "Security + networking" section, you will find options for:

  • Firewalls and virtual networks: Configure allowed IP addresses and VNets.
  • Private endpoint connections: Manage private endpoints.

Using Azure CLI

Here's an example of how to set up a firewall rule using Azure CLI:


az storage account update \
    --name <storage-account-name> \
    --resource-group <resource-group-name> \
    --set networkAcls.defaultAction="Deny" \
    --set networkAcls.bypass="Logging,Metrics" \
    --add networkAcls.ipRules='{"action":"Allow","value":"203.0.113.5/32"}'

Using Private Endpoints

Private endpoints create a direct, secure connection from your virtual network to your storage account. This ensures that traffic between your virtual network and the storage account does not traverse the public internet.

To create a private endpoint:

  1. Go to your storage account in the Azure portal.
  2. Under "Security + networking," select "Private endpoint connections."
  3. Click "+ Private endpoint."
  4. Fill in the required details, including your subscription, resource group, region, name, and select "Microsoft.Storage/storageAccounts" for the resource type.
  5. On the "Resource" tab, select your storage account and the "Blob" sub-resource.
  6. On the "Virtual Network" tab, select your virtual network and subnet. You can choose to integrate with a private DNS zone for name resolution.
  7. Review and create the private endpoint.

Best Practices

  • Default to Deny: Configure your storage account firewall to deny all network access by default and then explicitly allow access from trusted IP addresses or virtual networks.
  • Use Private Endpoints: For maximum security, use private endpoints to ensure traffic stays within the Azure backbone network.
  • Leverage Service Endpoints: Service endpoints provide a secure and direct path from your VNet to Azure Storage, while still allowing access from authorized on-premises IP addresses.
  • Minimize Public Access: Avoid enabling public access unless absolutely necessary, and even then, use appropriate security measures like SAS tokens.
  • Regularly Review Access Rules: Periodically review your firewall rules, service endpoint configurations, and private endpoint connections to ensure they align with your current security requirements.

Conclusion

Understanding and implementing the right network security configurations for your Azure Blob Storage is crucial for protecting your data. Azure provides a robust set of tools to manage network access effectively.