Securing Storage Account Networking

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

23 hours 16 minutes
Video Transcription
Hello and welcome back to Cyber Aires. Microsoft Azure Administrator A Z 103 course. I'm well Carlson, your instructor. And this is Episode 21 securing storage account networking.
In today's episode, we're gonna configure a storage firewall to help increase in control what networks can access our storage count.
We're also gonna go through and discuss and set up a service in point for access to our storage account from within the azure environment
getting right into portal. Or we're gonna go ahead and connect to our storage account that we've been working in the past few episodes
and we're gonna come down here to firewalls and virtual networks.
And when we configured this storage account, we left access on for all networks. But now we're gonna go ahead and select selected networks.
Now, as your makes it pretty nice to go ahead and add your i p address as in allowed I p you could go ahead mark that
you can also come in down here and set a public I P address or a range of public I p addresses using cider notation
toe have access to the storage account as well.
Some other options here are to allow trusted Microsoft service is to access the storage account. And essentially, what that means is that other service is within. Microsoft can go ahead and access the storage account without any additional set up on your part is the administrator.
There's also two options to allow Reed access to logging and two metrics from any network at all.
And those options are there because once you turn on this storage account firewall, this is going to create a deny all rule. So unless you come from one of these permitted I p address Rangers, you will not. Even if you have authentication keys, you will not be able to access the storage account.
Once you turn this on, you have to make sure it's set up or you'll lose access remotely.
Now the other thing that's gonna be in this particular window is setting up a service in point, and this used to be a lot more involved. Microsoft has really strained line this process, and we're gonna walk through that here real quickly,
get started. You can either add a new virtual network or at an existing virtual network. Now, if the networking part is a little above your head at this point. Don't worry. We're gonna cover networking and some upcoming video segments very soon. So to simplify things, we're gonna add an existing virtual network and my free trial subscription.
I'm gonna go ahead and select the back up the Net.
I'm also going to slight the default sudden it
and I'm gonna select at
now. That configuration was really simple. As soon as I go ahead and click, Save Azure is going to do all of the legwork.
And that's really all there is to securing the network here in Azure for storage accounts. So I allowed access from the outside from my personal public i P address and I've also allowed internal access from other service is here within azure, and it's this
service end point That's really the most interesting. And
to make that make more sense, I want to talk briefly about and remind you the way that azure storage works.
Azure storage is meant to be publicly accessible, cloud based, multi tenant storage. And that means that even when you're accessing your azure storage accounts from within your azure account, your traffic is actually leaving your network
traversing the Internet and coming back into the azure storage interface and data center locations.
This can lead to some security concerns, and it also increases Leighton. See between your azure workloads and your azure storage and an azure service in point is a solution to that now, technically, a service in point. Still, traverse is the quote
public Internet. But what that really means is that
it never traverse is the azure core back bone. So you're routing from rather to a publicly addressable storage in point over the azure backbone. So you increased security and you increase Leighton, see sometimes by a factor of 20 times faster.
I've seen Leighton sees the storage in points
go down to sub one millisecond times.
Where is accessing that storage over a regular or the open Internet? It's gonna be anywhere from 20 to 40 milliseconds, so service in points help with security, and they also help with speed of access.
So in today's episode, we talked about turning on the storage account firewall and that as soon as you do that, that's going to lock everybody out of the system if you don't do any further configuration.
We also mentioned that adding some I p address ranges and specific I p's are going to allow you to get back into that storage account. And then we talked about some of the benefits of service in points and how they can increase security and decrease Leighton. See, for us
coming up next, we're gonna continue our discussion along the lines of security for your storage accounts, and this is gonna be access control. So how do you control who has credentials to ultimately log in? And this is a separate discussion from the discussion today that was primarily sin aerated, centered around network access controls.
Thanks for joining me. And I'm looking forward to continuing this topic
in the next video.
Up Next
AZ-103 Microsoft Azure Administrator

This Microsoft Azure AZ-103 Certification training course teaches students to perform tasks like managing Azure subscriptions and resources, implementing and managing storage, deploying and managing virtual machines (VM) and networks, and managing identities!

Instructed By