Create and configure storage accounts
Configure Network Access to the Storage Account
Azure Storage offers a layered security model such that the model enables to secure the storage accounts to a specific subset of networks. Also when network rules are configured, then only applications requesting data over the specified set of networks can access a storage account. It is suggested to limit access to teh storage account to requests originating from specified IP addresses, IP ranges or from a list of subnets in Azure Virtual Networks.
The application which accesses a storage account when network rules are in effect needs proper authorization for the request. Also, authorization is supported with Azure Active Directory (Azure AD) credentials for blobs and queues, with a valid account access key, or with an SAS token.
How to change the default network access rule?
- By default, storage accounts accept connections from clients on any network. To limit access to selected networks, we must first change the default action.
- Managing default network access rules
- We can manage default network access rules for storage accounts through the Azure portal, PowerShell, or CLIv2.
Azure portal
- Go to the storage account that needs to secures.
- Click on the settings menu called Firewalls and virtual networks.
- In order to deny access by default, choose to allow access from Selected networks. Also to allow traffic from all networks, choose to allow access from All networks.
- Click Save to apply your changes.
PowerShell
- Install the Azure PowerShell and sign in.
- Display the status of the default rule for the storage account.
- Set the default rule to deny network access by default.
- Set the default rule to allow network access by default.
CLIv2
- Install the Azure CLI and sign in.
- Display the status of the default rule for the storage account.
- Set the default rule to deny network access by default.
- Set the default rule to allow network access by default.
How to Grant access from a virtual network?
We can configure storage accounts to allow access only from specific subnets. The allowed subnets may belong to a VNet in the same subscription, or those in a different subscription, including subscriptions belonging to a different Azure Active Directory tenant.
- Managing virtual network rules
- We can manage virtual network rules for storage accounts through the Azure portal, PowerShell, or CLIv2.
Azure portal
- Go to the storage account we want to secure.
- Click on the settings menu called Firewalls and virtual networks.
- Check that you’ve selected to allow access from Selected networks.
- To grant access to a virtual network with a new network rule, under Virtual networks, click Add existing virtual network, select Virtual networks and Subnets options, and then click Add. To create a new virtual network and grant it access, click Add new virtual network. Provide the information necessary to create the new virtual network, and then click Create.
- To remove a virtual network or subnet rule, to open the context menu for the virtual network or subnet, and click Remove.
- Click Save to apply your changes.
PowerShell
- Install the Azure PowerShell and sign in.
- List virtual network rules.
- Enable service endpoint for Azure Storage on an existing virtual network and subnet.
- Add a network rule for a virtual network and subnet.
- Remove a network rule for a virtual network and subnet.
CLIv2
- Install the Azure CLI and sign in.
- List virtual network rules.
- Enable service endpoint for Azure Storage on an existing virtual network and subnet.
- Add a network rule for a virtual network and subnet.
- Remove a network rule for a virtual network and subnet.
Create a Storage Account
Steps to create a storage account –
In order to create a general-purpose v2 storage account in the Azure portal, follow the following steps –
- In the Azure portal, select All services. In the list of resources, type Storage Accounts. As we begin typing, the list filters based on the input. Select Storage Accounts.
- On the Storage Accounts window that appears, choose Add.
- Select the subscription to create the storage account.
- Under the Resource group field, select Create new. Enter a name for the new resource group.
- Enter a name for the storage account. The name that we choose must be unique across Azure. Also the name must be between 3 and 24 characters in length, and can include numbers and lowercase letters only.
- Select a location for the storage account, or use the default location.
- Leave the following fields set to their default values –
Field | Value |
---|---|
Deployment model | Resource Manager |
Performance | Standard |
Account kind | StorageV2 (general-purpose v2) |
Replication | Read-access geo-redundant storage (RA-GRS) |
Access tier | Hot |
8. Select Review + Create to review your storage account settings and create the account and then select Create.
Configure the Storage Account
How to view account keys and connecting strings?
In order to view and copy the storage account access keys or connection string from the Azure portal –
- Navigate to the Azure portal.
- Locate the storage account.
- In the Settings section of the storage account overview, select Access keys. The account access keys appear, as well as the complete connection string for each key.
- Find the Key value under key1, and click the Copy button to copy the account key.
- Alternately, we can copy the entire connection string. Find the Connection string value under key1, and click the Copy button to copy the connection string.
Generate Shared Access Signature
Shared access signature (SAS) offers secure delegated access to resources in the storage account without compromising the security of data. With a SAS, we have granular control over how a client can access the data. Also we can control what resources the client may access, what permissions they have on those resources, and how long the SAS is valid, among other parameters.
Types of Shared Access Signatures
The Azure Storage supports three types of shared access signatures –
- User delegation SAS (preview) – A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only. In order to create a user delegation SAS, we must first request a user delegation key, which is used to sign the SAS.
- Service SAS – A service SAS is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files.
- Account SAS – An account SAS is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS.
Install and use Azure Storage Explorer
Azure Storage Explorer is defined as a standalone app which permits us to easily work with Azure Storage data on Windows, macOS, and Linux.
How to connect to storage account or service?
- In Storage Explorer, select Manage Accounts to go to the Account Management Panel.
- The left pane now displays all the Azure accounts we have signed in to. To connect to another account, select Add an account
- In order to sign into a national cloud or an Azure Stack, click on the Azure environment dropdown to select which Azure cloud we want to use. Once we have chosen the environment, click the Sign in… button.
- After successfully sign in with an Azure account, the account and the Azure subscriptions associated with that account are added to the left pane. Select the Azure subscriptions that we want to work with, and then select Apply (Selecting All subscriptions: toggles selecting all or none of the listed Azure subscriptions).
- The left pane displays the storage accounts associated with the selected Azure subscriptions.
Manage Access Keys
Steps to view and copy your storage account access keys or connection string from the Azure portal –
- Navigate to the Azure Portal.
- Locate your storage account.
- In the Settings section of the storage account overview, select Access keys. The account access keys appear, as well as the complete connection string for each key.
- Find the Key value under key1, and click the Copy button to copy the account key.
- Alternately, we can copy the entire connection string. Find the Connection string value under key1, and click the Copy button to copy the connection string.
Process to rotate storage account keys
- Update the connection strings in the application code to use the secondary key.
- Regenerate the primary access key for the storage account. On the Access Keys blade in the Azure portal, click Regenerate Key1, and then click Yes to confirm that want to generate a new key.
- Update the connection strings in the code to reference the new primary access key.
- Regenerate the secondary access key in the same manner.
Monitor activity log by using Log Analytics
Procedure to connect the Activity Log to your Log Analytics workspace
- From the Log Analytics workspaces menu in the Azure portal, select the workspace to collect the Activity Log.
- In the Workspace Data Sources section of the workspace’s menu, select Azure Activity log.
- Click the subscription you want to connect.
- Click Connect to connect the Activity log in the subscription to the selected workspace. If the subscription is already connected to another workspace, click Disconnect first to disconnect it.
Implement Azure storage replication
Redundancy Options in Windows Azure Storage
Windows Azure Storage offers following options for redundancy for Blobs, Tables and Queues –
- Locally Redundant Storage (LRS): All data in the storage account is made durable by replicating transactions synchronously to three different storage nodes within the same region.
- Geo Redundant Storage (GRS): This is the default option for redundancy when a storage account is created. Like LRS, transactions are replicated synchronously to three storage nodes within the primary region chosen for creating the storage account.
- Read Access – Geo Redundant Storage (RA-GRS): For a GRS storage account, we now have introduced in limited preview the ability to turn on read only access to a storage account’s data in the secondary region.