DEV Community

Cover image for Providing Private Storage for Internal Company Documents using Microsoft Azure
Onyemachi Doris
Onyemachi Doris

Posted on

Providing Private Storage for Internal Company Documents using Microsoft Azure

Table of Contents

  • Introduction
  • Features of a Private Storage Account
  • Benefits of Private Storage Accounts
  • Use Cases for Private Storage
  • Azure Storage Redundancy Options
  • Azure Storage Access Tiers
  • Step-by-Step Guide to Creating a Private Storage Account
  • Conclusion

Introduction

A private storage account is a storage account that is only accessible through private endpoints within a Virtual Network (VNet), protecting it from public network access. This method adds an extra degree of security by guaranteeing that your storage resources such as blobs, files, tables, or queues are separated from the public internet.

Features of a Private Storage Account

Private Endpoint Integration: A private storage account's connection with private endpoints is one of its primary features. Private Endpoints give the storage account a private IP address from the virtual network, limiting access to that address exclusively. All communication between the storage account and the client (or application) is kept completely inside Azure's secure backbone network, keeping it hidden from the general public.

Public Access Restriction: Access to the public network is completely disabled. The private endpoint or the VNet is used for all storage account access. No public IP addresses are associated with the account which enhances security and minimizes attack surfaces.

Enhanced Security and Compliance: By guaranteeing that data never passes across public networks, private endpoints allow you to comply with stringent regulatory and compliance standards. Additionally, security measures such as encryption, Azure Active Directory (AAD) integration, and role-based access control (RBAC) further secures the data.

Network Security: You can configure the storage account to allow access only from specific subnets or through network security groups (NSGs) for further control over inbound and outbound traffic. Azure Firewall or third-party security appliances can also be integrated into the VNet for enhanced threat protection.

Benefits of Using Private Storage Accounts

Data Isolation: The hazards associated with public access are eliminated because data can only be accessed from within the private VNet or designated IP ranges.

Reduced Attack Surface: Since the storage account does not have a public endpoint, it reduces the potential attack vectors, especially from internet-based threats.

Compliance: Private storage accounts ensure that sensitive data is only available through private networks, helping to comply with a variety of industrial laws that need restricted data access.

VNet Integration: Building safe hybrid architectures with deep VNets integration enables on-premises systems to safely access Azure storage resources over VPN or ExpressRoute connections.

Some Use Cases for Private Storage Accounts

Enterprise Applications with Sensitive Data: Assuming an organization needs to store confidential business data (e.g., financial records, internal documents) securely and restrict access to its virtual network. A private storage account will help to achieve this because it ensures that sensitive data is isolated from public access and only available within the organization's network, reducing exposure to external threats.

Hybrid Cloud Architecture: For example, if a company with on-premises infrastructure wants to extend its storage capabilities into Azure for better scalability while maintaining secure access to the cloud from on-premises systems. They can use private storage accounts with Azure VPN or ExpressRoute to seamlessly extend its data storage to the cloud without exposing it to the public internet.

Secure Backup and Disaster Recovery: If a business needs a reliable and secure cloud backup solution that ensures their critical backups (e.g., database backups, application data) remain inaccessible to unauthorized use. By storing backups in a private storage account, the data is securely isolated from public networks, reducing the risk of data breaches. It also provides peace of mind for disaster recovery scenarios.

Azure Storage Redundancy Options

Azure Storage accounts offer several redundancy options to ensure durability, availability, and disaster recovery. They are;

Locally Redundant Storage (LRS): This replicates data three times within a single data center in one region. It provides high durability but no cross-region replication.

Zone-Redundant Storage (ZRS): The zone-redundant storage replicates data synchronously across three different Azure availability zones within a single region, providing high availability in case of zone failures.

Geo-Redundant Storage (GRS): Geo-redundant storage replicates data across two geographically separate regions, providing durability even in the event of a regional outage. It replicates data three times within the primary region and then asynchronously to a secondary region.

Geo-Zone Redundant Storage (GZRS): Combines the advantages of ZRS and GRS by replicating data synchronously across zones in the primary region and asynchronously to another region for additional redundancy.

Azure Storage Access Tiers

Azure Blob Storage supports different access tiers to optimize storage costs based on how frequently the data is accessed. They include;

Hot Tier: The hot tier is optimized for data that is accessed frequently. It has higher storage costs but lower access costs.

Cool Tier: This is best suited for infrequently accessed data, such as backups or older data. It has lower storage costs but higher access costs compared to the Hot tier.

Archive Tier: This tier is ideal for data that is rarely accessed and can tolerate high latency for retrieval (hours). It has the lowest storage costs, but access requires a rehydration process.

Step-by-Step Guide to Creating a Private Storage Account

Assuming a company needs storage with high availability for their offices and departments. This content is private to the company and shouldn’t be shared without consent. Additionally, the company wants to use this storage account to back up their public website. A step-by-step guideline of how to achieve this is illustrated as follows;

Step 1: Create a storage account for the internal private company documents and configure high availability.

  • In the Azure portal, search for and select Storage accounts.

Image description

  • Select + Create.

Image description

  • Select the Resource group created in the previous lab (refer to my previous post).

  • Set the Storage account name to private. Add an identifier to the name to ensure the name is unique.

  • Select Review, and then Create the storage account.

Image description

  • Wait for the storage account to deploy, and then select Go to resource.

Image description

Because this storage account requires high availability in case there’s a regional outage, read access in the secondary region is not required. The appropriate level of redundancy is configured below.

  • In the storage account, in the Data management section, select the Redundancy blade.

  • Ensure Geo-redundant storage (GRS) is selected.

  • Refresh the page.

  • Review the primary and secondary location information.

  • Save your changes.

Image description

Step 2: Create a storage container, upload a file, and restrict access to the file.

Create a private storage container for the corporate data.

  • In the storage account, in the Data storage section, select the Containers blade.

  • Select + Container.

Image description

  • Ensure the Name of the container is private.

  • Ensure the Public access level is Private (no anonymous access).

  • As you have time, review the Advanced settings, but take the defaults.

  • Select Create.

Image description

For testing, upload a file to the private container. The type of file doesn’t matter. A small image or text file is a good choice. Test to ensure the file isn’t publicly accessible.

  • Select the container.

Image description

  • Select Upload.

Image description

  • Browse to files and select a file.

  • Upload the file.

Image description

  • Select the uploaded file.

  • On the Overview tab, copy the URL.

Image description

  • Paste the URL into a new browser tab.

  • Verify the file doesn’t display and you receive an error.

Image description

An external partner requires read and write access to the file for at least the next 24 hours. Configure and test a shared access signature (SAS).

  • Select your uploaded blob file and move to the Generate SAS tab.

Image description

  • In the Permissions drop-down, ensure the partner has only Read permissions.

  • Verify the Start and expiry date/time is for the next 24 hours.

Image description

  • Select Generate SAS token and URL.

  • Copy the Blob SAS URL to a new browser tab.

Image description

  • Verify you can access the file. If you have uploaded an image file it will display in the browser. Other file types will be downloaded.

Image description

Step 3: Configure Storage Access Tiers and Content Replication.

To save on costs, after 30 days, move blobs from the hot tier to the cool tier.

  • Return to the storage account.

  • In the Overview section, notice the Default access tier is set to Hot.

Image description

  • In the Data management section, select the Lifecycle management blade.

  • Select Add rule.

Image description

  • Set the Rule name to movetocool.

  • Set the Rule scope to Apply rule to all blobs in the storage account.

  • Select Next.

Image description

  • Ensure Last modified is selected.

  • Set More than (days ago) to 30.

  • In the Then drop-down select Move to cool storage.
    Image description

  • As you have time, review other lifecycle options in the drop-down.

  • Add the rule.

Image description

The public website files need to be backed up to another storage account.

  • In your storage account, create a new container called backup.

  • Use the default values. Refer back to the previous post if you need detailed instructions.

Image description

  • Navigate to your publicwebsite storage account. This storage account was created in the previous post.

  • In the Data management section, select the Object replication blade.

  • Select Create replication rules.

Image description

  • Set the Destination storage account to the private storage account.

  • Set the Source container to public and the Destination container to backup.

Image description

  • Create the replication rule.

Image description

Optionally, as you have time, upload a file to the public container. Return to the private storage account and refresh the backup container. Within a few minutes your public website file will appear in the backup folder.

Image description

Conclusion

Private storage accounts provide the ideal solution for businesses and organizations that need to ensure secure and private access to their data. It delivers improved security, compliance, and control over data while utilizing the scalability and flexibility of Azure cloud storage.

Don't forget to like, comment, share and subscribe!

Top comments (0)