Table of Contents
- Introduction
- Features of a Private Storage Account
- Benefits of Private Storage Accounts
- Use Cases for Private Storage
- Azure Storage Redundancy Options
- Azure Storage Access Tiers
- Step-by-Step Guide to Creating a Private Storage Account
- Conclusion
Introduction
A private storage account is a storage account that is only accessible through private endpoints within a Virtual Network (VNet), protecting it from public network access. This method adds an extra degree of security by guaranteeing that your storage resources such as blobs, files, tables, or queues are separated from the public internet.
Features of a Private Storage Account
Private Endpoint Integration: A private storage account's connection with private endpoints is one of its primary features. Private Endpoints give the storage account a private IP address from the virtual network, limiting access to that address exclusively. All communication between the storage account and the client (or application) is kept completely inside Azure's secure backbone network, keeping it hidden from the general public.
Public Access Restriction: Access to the public network is completely disabled. The private endpoint or the VNet is used for all storage account access. No public IP addresses are associated with the account which enhances security and minimizes attack surfaces.
Enhanced Security and Compliance: By guaranteeing that data never passes across public networks, private endpoints allow you to comply with stringent regulatory and compliance standards. Additionally, security measures such as encryption, Azure Active Directory (AAD) integration, and role-based access control (RBAC) further secures the data.
Network Security: You can configure the storage account to allow access only from specific subnets or through network security groups (NSGs) for further control over inbound and outbound traffic. Azure Firewall or third-party security appliances can also be integrated into the VNet for enhanced threat protection.
Benefits of Using Private Storage Accounts
Data Isolation: The hazards associated with public access are eliminated because data can only be accessed from within the private VNet or designated IP ranges.
Reduced Attack Surface: Since the storage account does not have a public endpoint, it reduces the potential attack vectors, especially from internet-based threats.
Compliance: Private storage accounts ensure that sensitive data is only available through private networks, helping to comply with a variety of industrial laws that need restricted data access.
VNet Integration: Building safe hybrid architectures with deep VNets integration enables on-premises systems to safely access Azure storage resources over VPN or ExpressRoute connections.
Some Use Cases for Private Storage Accounts
Enterprise Applications with Sensitive Data: Assuming an organization needs to store confidential business data (e.g., financial records, internal documents) securely and restrict access to its virtual network. A private storage account will help to achieve this because it ensures that sensitive data is isolated from public access and only available within the organization's network, reducing exposure to external threats.
Hybrid Cloud Architecture: For example, if a company with on-premises infrastructure wants to extend its storage capabilities into Azure for better scalability while maintaining secure access to the cloud from on-premises systems. They can use private storage accounts with Azure VPN or ExpressRoute to seamlessly extend its data storage to the cloud without exposing it to the public internet.
Secure Backup and Disaster Recovery: If a business needs a reliable and secure cloud backup solution that ensures their critical backups (e.g., database backups, application data) remain inaccessible to unauthorized use. By storing backups in a private storage account, the data is securely isolated from public networks, reducing the risk of data breaches. It also provides peace of mind for disaster recovery scenarios.
Azure Storage Redundancy Options
Azure Storage accounts offer several redundancy options to ensure durability, availability, and disaster recovery. They are;
Locally Redundant Storage (LRS): This replicates data three times within a single data center in one region. It provides high durability but no cross-region replication.
Zone-Redundant Storage (ZRS): The zone-redundant storage replicates data synchronously across three different Azure availability zones within a single region, providing high availability in case of zone failures.
Geo-Redundant Storage (GRS): Geo-redundant storage replicates data across two geographically separate regions, providing durability even in the event of a regional outage. It replicates data three times within the primary region and then asynchronously to a secondary region.
Geo-Zone Redundant Storage (GZRS): Combines the advantages of ZRS and GRS by replicating data synchronously across zones in the primary region and asynchronously to another region for additional redundancy.
Azure Storage Access Tiers
Azure Blob Storage supports different access tiers to optimize storage costs based on how frequently the data is accessed. They include;
Hot Tier: The hot tier is optimized for data that is accessed frequently. It has higher storage costs but lower access costs.
Cool Tier: This is best suited for infrequently accessed data, such as backups or older data. It has lower storage costs but higher access costs compared to the Hot tier.
Archive Tier: This tier is ideal for data that is rarely accessed and can tolerate high latency for retrieval (hours). It has the lowest storage costs, but access requires a rehydration process.
Step-by-Step Guide to Creating a Private Storage Account
Assuming a company needs storage with high availability for their offices and departments. This content is private to the company and shouldn’t be shared without consent. Additionally, the company wants to use this storage account to back up their public website. A step-by-step guideline of how to achieve this is illustrated as follows;
Step 1: Create a storage account for the internal private company documents and configure high availability.
- In the Azure portal, search for and select Storage accounts.
- Select + Create.
Select the Resource group created in the previous lab (refer to my previous post).
Set the Storage account name to private. Add an identifier to the name to ensure the name is unique.
Select Review, and then Create the storage account.
- Wait for the storage account to deploy, and then select Go to resource.
Because this storage account requires high availability in case there’s a regional outage, read access in the secondary region is not required. The appropriate level of redundancy is configured below.
In the storage account, in the Data management section, select the Redundancy blade.
Ensure Geo-redundant storage (GRS) is selected.
Refresh the page.
Review the primary and secondary location information.
Save your changes.
Step 2: Create a storage container, upload a file, and restrict access to the file.
Create a private storage container for the corporate data.
In the storage account, in the Data storage section, select the Containers blade.
Select + Container.
Ensure the Name of the container is private.
Ensure the Public access level is Private (no anonymous access).
As you have time, review the Advanced settings, but take the defaults.
Select Create.
For testing, upload a file to the private container. The type of file doesn’t matter. A small image or text file is a good choice. Test to ensure the file isn’t publicly accessible.
- Select the container.
- Select Upload.
Browse to files and select a file.
Upload the file.
Select the uploaded file.
On the Overview tab, copy the URL.
Paste the URL into a new browser tab.
Verify the file doesn’t display and you receive an error.
An external partner requires read and write access to the file for at least the next 24 hours. Configure and test a shared access signature (SAS).
- Select your uploaded blob file and move to the Generate SAS tab.
In the Permissions drop-down, ensure the partner has only Read permissions.
Verify the Start and expiry date/time is for the next 24 hours.
Select Generate SAS token and URL.
Copy the Blob SAS URL to a new browser tab.
- Verify you can access the file. If you have uploaded an image file it will display in the browser. Other file types will be downloaded.
Step 3: Configure Storage Access Tiers and Content Replication.
To save on costs, after 30 days, move blobs from the hot tier to the cool tier.
Return to the storage account.
In the Overview section, notice the Default access tier is set to Hot.
In the Data management section, select the Lifecycle management blade.
Select Add rule.
Set the Rule name to movetocool.
Set the Rule scope to Apply rule to all blobs in the storage account.
Select Next.
Ensure Last modified is selected.
Set More than (days ago) to 30.
As you have time, review other lifecycle options in the drop-down.
Add the rule.
The public website files need to be backed up to another storage account.
In your storage account, create a new container called backup.
Use the default values. Refer back to the previous post if you need detailed instructions.
Navigate to your publicwebsite storage account. This storage account was created in the previous post.
In the Data management section, select the Object replication blade.
Select Create replication rules.
Set the Destination storage account to the private storage account.
Set the Source container to public and the Destination container to backup.
- Create the replication rule.
Optionally, as you have time, upload a file to the public container. Return to the private storage account and refresh the backup container. Within a few minutes your public website file will appear in the backup folder.
Conclusion
Private storage accounts provide the ideal solution for businesses and organizations that need to ensure secure and private access to their data. It delivers improved security, compliance, and control over data while utilizing the scalability and flexibility of Azure cloud storage.
Don't forget to like, comment, share and subscribe!
Top comments (0)