Time
1 hour 52 minutes
Difficulty
Beginner
CEU/CPE
2

Video Transcription

00:00
This is the final lesson in Module three, where we're going to discuss configuring network security and secure transfers.
00:09
The objectives include we're going to look at configuring network and firewall security for storage accounts,
00:15
how we can enable secure transfers and, of course, go out to the azure portal. Take a look at a demo of how to configure these options.
00:25
So first, let's talk about network and firewall security
00:28
by default are storage accounts are open to all networks and including the Internet. We saw in a previous lesson how we can configure our container access levels to private, but we do have some additional options to secure our storage accounts.
00:42
First, we can secure access to specific virtual networks or V nets inside of Azure. We can do this by enabling service in points inside the virtual network so it can access azure services over a direct connection. We can enable service in point
00:57
fourth the storage account services, but it's also available for other azure services like sequel databases,
01:03
cosmos TB, an APP services.
01:06
Then we can create a private endpoint for the azure storage account so clients on the virtual network can securely access it over a private link.
01:15
The private endpoint will use an I P address from the virtual network address space and assign it to the storage account service.
01:23
This allows a network traffic between the clients on the virtual network and storage account.
01:27
Two divers through the V Net and Private Link on the Microsoft Backbone Network.
01:33
This limits exposure from the public Internet as it doesn't traverse over. There
01:38
are other. Option is we can specify public I P addresses that can access the storage account over the Internet or from our on premises networks.
01:47
This could be a single I p or a range of I ps using cider notation.
01:53
Next, we have secured transfers.
01:55
This enables the storage account to only accept secure connections
01:59
and insecure connection attempts are rejected.
02:01
This includes things like calls to the azure storage rests ap. I are going to require https
02:08
or connection to our azure file share over S and B is going to require encryption.
02:13
If a connection is made over S and B without encryption, it is going to fail. Examples of an insecure connection would be something like using older protocols of S and be like 2.1 or using version three without encryption. And sometimes you might run into this with the Lennox S and B client.
02:30
What's great is secure. Transfers is enabled by default when you create the storage account using the portal. But it's disabled if he used the azure storage sdk, so something to keep in mind there. If you're programmatically creating your storage account,
02:43
however, if you were to use a custom domain name with your storage account, Secure transfers is not supported and are classic storage accounts. Do not have secure transfer enabled either
02:54
That does it for concepts. Let's jump out to our demo, where we're going to verify our secure transfer is being required.
03:01
Well, then convict your are virtual network service in point to connect to the storage account service. Then we'll create a storage account private endpoint connection so something like a virtual machine on a virtual network can access the storage account over the private link. Let's step back to the azure portal
03:20
back in the azure portal. Let's go into our GPT 2020 storage account
03:23
and understandings. Let's go check out configuration
03:27
and we saw this before, when we first created our storage account right here is where we have the option to enable or disable requiring secure transfer. And as this information window points out,
03:37
it's going to require https. And we might fail in some scenarios, using older versions of the S and B protocol
03:44
says it for requiring secure transfer. Just wanted to point out where this option was inside of our storage account.
03:50
Next, understanding slash jump over to firewalls and virtual networks,
03:53
and right now, you can see allow access from all networks is configured. So that means all networks, including the Internet, can access the storage account.
04:01
Let's select the radio button for selected networks, and here we have the option of selecting virtual networks that can interact with our storage account. Now, before we go and add one here, let me discard this. First, we need to go into our virtual network
04:15
and a naval our service in points so it's go into Virtual Network will select the virtual network here
04:20
and under settings. Let's go into service in points.
04:26
We'll click the add button
04:28
and under a service dropped down,
04:30
we'll select our mark self doubt storage service and you can see we have lots of other services. But for right now, we're just going to focus on this one.
04:38
We're gonna choose the seven it that's gonna have access to our storage account services
04:42
and go ahead and click on add
04:46
with our service, Endpoint added, We can expand it and see which sub nets it is configured for and locations. Let's go back to home.
04:54
We'll go back to our storage account
04:56
firewalls and virtual networks.
04:58
Let's do selected networks again.
05:00
We'll add an existing virtual network
05:01
will choose our virtual network we have created here
05:05
and our default submit.
05:08
Now. If we didn't just go enable that service in point, we would get a message right here saying that it was going to do it for us automatically. But since we went ahead and did it, it's not here. So let's go and click on add.
05:17
We can expand out and see that our endpoint status is enabled. So that's it for configuring the virtual network side of it.
05:25
We also have the option of adding
05:28
I P ranges that we can access from the Internet or on premises networks for the storage account.
05:32
Again, this could be a single I p address or arrange five he addresses using cider notation.
05:39
And finally, we have some exceptions here right now. Selected is we allow other Microsoft services to access the storage account. But we can also do things like read access to the storage for metrics and logging. Go ahead and save our settings
05:50
not to complete our private virtual network connections. We need to go under settings, private endpoint connections,
05:57
and we need to create a private endpoint for the storage account. We'll leave it in the same resource group and will give the instance detail a name for our private endpoint,
06:05
and we'll go ahead and select the same region as our virtual network.
06:10
Next, we need to select the resource that we're going to enable
06:13
for resource type. Let's go ahead and select Microsoft dot storage slash storage accounts. And let's select the specific resource that we want to enable. And again, this is gonna be rjb t 2020 storage account.
06:26
And finally, what sub resource we're gonna specifically enabled the blob storage service. It's going to configuration.
06:32
We have our virtual network and sub net already selected here that we're going to configure the private end 0.4, and we have private DNA's integration Right now, I'm going to go ahead and leave this to Yes, it is going to create a new private DNS zone for us.
06:46
This allows other resource is on that virtual network to find the storage account.
06:50
Let's go ahead and review and create
06:53
our validations past. Let's go ahead and create. Our resource is here.
06:57
This is going to take a few minutes. So once again, I'll pause the video and we'll come back when it's complete.
07:02
All right. Our private endpoint resources have been deployed, so let's go ahead and go back to home.
07:09
We'll go into R. J. P. T. 2020 storage account. Let's go back to settings and private endpoint connections.
07:15
And here's our private endpoint connection we just created for our storage account.
07:18
Let's go and select the private endpoint link over here.
07:21
You can see under a custom DNS settings. We have an F U D in for our storage account, and we now have a private I p. Associate it with it of 10.0 dot 0.4, which is part of our virtual network that we've configured.
07:35
This means that say, we have a virtual machine on this virtual network, it's gonna be able to reference and access the storage account
07:44
over a private link and staying on the Azure network instead of traversing over the public Internet
07:49
that does it for a demo. Let's jump back to the slides and wrap this up.
07:55
That does it for this lesson. It's the less lesson. And here in Module three, we discussed configuring network and fire all security. How to configure secure transfers. We enabled a storage service in point in our virtual network
08:07
and then created a storage account. Private endpoint.
08:11
Coming up. Next is the start of macho four, where we're gonna talk about how we can manage data using Storage Explorer.
08:16
See you in the next module.

Up Next

Azure Storage Accounts

In this course we will cover the different configuration options when creating storage accounts, how to secure data in the accounts, and finally how to upload and manage data in the storage account services.

Instructed By

Instructor Profile Image
Jeff Brown
Instructor