By now, you know that the storage service can be accessed from anywhere in the world. This is actually a security concern when you are storing sensitive data in the cloud. The default option is to allow access from all networks; however, you can restrict the access from networks. Using the storage firewall, you can restrict the access to a list of allowed networks.
Once you create a storage account, in the Networking blade you will be able to control the access. As shown in Figure 6.5, you can restrict the access to a set of virtual networks and external CIDR ranges (on-premises or any other network outside Azure).
FIGURE 6.5 Securing storage endpoint
Here concepts like service endpoint and private endpoint will come into the picture. You have already seen these in the networking chapter. With that, we will move on to the next topic, Azure Blob Storage.
Azure Blob Storage
When we discussed Azure Storage services, you saw some of the use-case scenarios of Azure Blob Storage. As Azure Blob Storage is for unstructured data, you can store any type of text or binary data. Blob storage is also referred to as object storage.
Figure 6.6 shows a hierarchy of how objects are stored in Azure Blob Storage.
FIGURE 6.6 Blob Storage hierarchy
From the figure it’s evident Blob Storage comprises three resources.
- The storage account
- The container in the storage account
- Blobs or objects stored in the container
We are already familiar with the concept of storage account, and blobs and objects are data stored in the storage account. The missing piece here is containers, so let’s understand what a container in Blob Storage is.
Blob Containers
As you can see in Figure 6.6, the container provides a grouping of blobs. In the figure, we have grouped the blobs as videos and images. There is no limit to the number of containers you can have inside a storage account. Each container can accommodate an infinite number of blobs as well. When you perform Exercise 6.1, you will understand how you can create a container from the Azure portal.
When you create a container, you need to provide the public access level, which specifies whether you want to expose the data stored in the container publicly. By default, the contents are private. However, you have the following options to control the visibility:
- Private: This is the default option; no anonymous access is allowed to containers and blobs.
- Blob: This will grant anonymous public read access to the blobs alone.
- Container: This will grant anonymous public read and list access to the container and all the blobs stored inside the container.
It’s important to understand these access levels to restrict the anonymous access to the sensitive data stored in the Blob Storage. You can also create containers from Azure PowerShell and the Azure CLI.
Now you will explore a new concept called blob access tiers.
