1 hour 52 minutes
This is the final lesson in Module three, where we're going to discuss configuring network security and secure transfers.
The objectives include we're going to look at configuring network and firewall security for storage accounts,
how we can enable secure transfers and, of course, go out to the azure portal. Take a look at a demo of how to configure these options.
So first, let's talk about network and firewall security
by default are storage accounts are open to all networks and including the Internet. We saw in a previous lesson how we can configure our container access levels to private, but we do have some additional options to secure our storage accounts.
First, we can secure access to specific virtual networks or V nets inside of Azure. We can do this by enabling service in points inside the virtual network so it can access azure services over a direct connection. We can enable service in point
fourth the storage account services, but it's also available for other azure services like sequel databases,
cosmos TB, an APP services.
Then we can create a private endpoint for the azure storage account so clients on the virtual network can securely access it over a private link.
The private endpoint will use an I P address from the virtual network address space and assign it to the storage account service.
This allows a network traffic between the clients on the virtual network and storage account.
Two divers through the V Net and Private Link on the Microsoft Backbone Network.
This limits exposure from the public Internet as it doesn't traverse over. There
are other. Option is we can specify public I P addresses that can access the storage account over the Internet or from our on premises networks.
This could be a single I p or a range of I ps using cider notation.
Next, we have secured transfers.
This enables the storage account to only accept secure connections
and insecure connection attempts are rejected.
This includes things like calls to the azure storage rests ap. I are going to require https
or connection to our azure file share over S and B is going to require encryption.
If a connection is made over S and B without encryption, it is going to fail. Examples of an insecure connection would be something like using older protocols of S and be like 2.1 or using version three without encryption. And sometimes you might run into this with the Lennox S and B client.
What's great is secure. Transfers is enabled by default when you create the storage account using the portal. But it's disabled if he used the azure storage sdk, so something to keep in mind there. If you're programmatically creating your storage account,
however, if you were to use a custom domain name with your storage account, Secure transfers is not supported and are classic storage accounts. Do not have secure transfer enabled either
That does it for concepts. Let's jump out to our demo, where we're going to verify our secure transfer is being required.
Well, then convict your are virtual network service in point to connect to the storage account service. Then we'll create a storage account private endpoint connection so something like a virtual machine on a virtual network can access the storage account over the private link. Let's step back to the azure portal
back in the azure portal. Let's go into our GPT 2020 storage account
and understandings. Let's go check out configuration
and we saw this before, when we first created our storage account right here is where we have the option to enable or disable requiring secure transfer. And as this information window points out,
it's going to require https. And we might fail in some scenarios, using older versions of the S and B protocol
says it for requiring secure transfer. Just wanted to point out where this option was inside of our storage account.
Next, understanding slash jump over to firewalls and virtual networks,
and right now, you can see allow access from all networks is configured. So that means all networks, including the Internet, can access the storage account.
Let's select the radio button for selected networks, and here we have the option of selecting virtual networks that can interact with our storage account. Now, before we go and add one here, let me discard this. First, we need to go into our virtual network
and a naval our service in points so it's go into Virtual Network will select the virtual network here
and under settings. Let's go into service in points.
We'll click the add button
and under a service dropped down,
we'll select our mark self doubt storage service and you can see we have lots of other services. But for right now, we're just going to focus on this one.
We're gonna choose the seven it that's gonna have access to our storage account services
and go ahead and click on add
with our service, Endpoint added, We can expand it and see which sub nets it is configured for and locations. Let's go back to home.
We'll go back to our storage account
firewalls and virtual networks.
Let's do selected networks again.
We'll add an existing virtual network
will choose our virtual network we have created here
and our default submit.
Now. If we didn't just go enable that service in point, we would get a message right here saying that it was going to do it for us automatically. But since we went ahead and did it, it's not here. So let's go and click on add.
We can expand out and see that our endpoint status is enabled. So that's it for configuring the virtual network side of it.
We also have the option of adding
I P ranges that we can access from the Internet or on premises networks for the storage account.
Again, this could be a single I p address or arrange five he addresses using cider notation.
And finally, we have some exceptions here right now. Selected is we allow other Microsoft services to access the storage account. But we can also do things like read access to the storage for metrics and logging. Go ahead and save our settings
not to complete our private virtual network connections. We need to go under settings, private endpoint connections,
and we need to create a private endpoint for the storage account. We'll leave it in the same resource group and will give the instance detail a name for our private endpoint,
and we'll go ahead and select the same region as our virtual network.
Next, we need to select the resource that we're going to enable
for resource type. Let's go ahead and select Microsoft dot storage slash storage accounts. And let's select the specific resource that we want to enable. And again, this is gonna be rjb t 2020 storage account.
And finally, what sub resource we're gonna specifically enabled the blob storage service. It's going to configuration.
We have our virtual network and sub net already selected here that we're going to configure the private end 0.4, and we have private DNA's integration Right now, I'm going to go ahead and leave this to Yes, it is going to create a new private DNS zone for us.
This allows other resource is on that virtual network to find the storage account.
Let's go ahead and review and create
our validations past. Let's go ahead and create. Our resource is here.
This is going to take a few minutes. So once again, I'll pause the video and we'll come back when it's complete.
All right. Our private endpoint resources have been deployed, so let's go ahead and go back to home.
We'll go into R. J. P. T. 2020 storage account. Let's go back to settings and private endpoint connections.
And here's our private endpoint connection we just created for our storage account.
Let's go and select the private endpoint link over here.
You can see under a custom DNS settings. We have an F U D in for our storage account, and we now have a private I p. Associate it with it of 10.0 dot 0.4, which is part of our virtual network that we've configured.
This means that say, we have a virtual machine on this virtual network, it's gonna be able to reference and access the storage account
over a private link and staying on the Azure network instead of traversing over the public Internet
that does it for a demo. Let's jump back to the slides and wrap this up.
That does it for this lesson. It's the less lesson. And here in Module three, we discussed configuring network and fire all security. How to configure secure transfers. We enabled a storage service in point in our virtual network
and then created a storage account. Private endpoint.
Coming up. Next is the start of macho four, where we're gonna talk about how we can manage data using Storage Explorer.
See you in the next module.