Forem: Stephen Onyewuchi

Providing storage with secure access for an app using managed identity and role-based access control

Stephen Onyewuchi — Sat, 02 Nov 2024 20:10:03 +0000

Step 1. Create the storage account and managed identity.
Step 2. Secure access to the storage account with a key vault and key.
Step 3. Configure the storage account to use the customer managed key in the key vault
Step 4. Configure a time-based retention policy and an encryption scope.

Step 1. - Create the storage account and managed identity

1. Provide a storage account for the web app.

In the portal, search for and select Storage accounts.

Select + Create.

For Resource group select Create new. Give your resource group a name and select OK to save your changes.
Provide a Storage account name. Ensure the name is unique and meets the naming requirements.

Move to the Encryption tab.
Check the box for Enable infrastructure encryption.
Notice the warning, this option cannot be changed after this storage account is created.
Select Review + Create.
Wait for the resource to deploy.

2. Provide a managed identity for the web app to use.

Search for and select Managed identities.

Select + Create.

Select your resource group.
Give your managed identity a name.

Select Review + create, and then Create.
Assign the correct permissions to the managed identity. The identity only needs to read and list containers and blobs.
Search for and select your storage account.
Select the Access Control (IAM) blade.
Select Add role assignment (center of the page).

On the Job functions roles page, search for and select the Storage Blob Data Reader role.

On the Members page, select Managed identity.
Select + Select members, in the Managed identity drop-down select User-assigned managed identity.
Select the managed identity you created in the previous step.
Click Select and then Review + assign the role.

Select Review + assign a second time to add the role assignment.
Your storage account can now be accessed by a managed identity with the Storage Data Blob Reader permissions.

Step 2. - Secure access to the storage account with a key vault and key

1. To create the key vault and key needed for this part of the lab, your user account must have Key Vault Administrator permissions.

In the portal, search for and select Resource groups.
Select your resource group, and then the Access Control (IAM) blade.
Select Add role assignment (center of the page).

On the Job functions roles page, search for and select the Key Vault Administrator role.

On the Members page, select User, group, or service principal.
Select + Select members.
Search for and select your user account. Your user account is shown in the top right of the portal.
Click Select and then Review + assign.

Select Review + assign a second time to add the role assignment.
You are now ready to continue with the lab.

2. Create a key vault to store the access keys.

In the portal, search for and select Key vaults.

Select + Create.

Select your Resource group.
Provide the name for the key vault. The name must be unique.

Ensure on the Access configuration tab that Azure role-based access control (recommended) is selected.
Select Review + create.
Wait for the validation checks to complete and then select + Create.

After the deployment, select Go to resource.

On the Overview blade ensure both Soft-delete and Purge protection are enabled.

3. Create a customer-managed key in the key vault.

In your key vault, in the Objects section, select the Keys blade.

Select Generate/Import and Name the key.
Take the defaults for the rest of the parameters, and Create the key.

Step 3. - Configure the storage account to use the customer managed key in the key vault

1. Before you can complete the next steps, you must assign the Key Vault Crypto Service Encryption User role to the managed identity.
Find out more on how to use a system-assigned managed identity to authorize access

In the portal, search for and select Resource groups.
Select your resource group, and then the Access Control (IAM) blade.
Select Add role assignment (center of the page).

On the Job functions roles page, search for and select the Key Vault Crypto Service Encryption User role.

On the Members page, select Managed identity.
Select + Select members, in the Managed identity drop-down select User-assigned managed identity.
Select your managed identity.
Click Select and then Review + assign.

Select Review + assign a second time to add the role assignment.
Select check access, then View my access to confirm roles

2. Configure the storage account to use the customer managed key in your key vault.
Learn more about customer managed keys on an existing storage account.

Return to your the storage account.
In the Security + networking section, select the Encryption blade.
Select Customer-managed keys.

Select Select a key vault and key. Select your key vault and key.
Select to confirm your choices.
Ensure the Identity type is User-assigned.
Select an identity.
Select your managed identity then select Add.
Save your changes.

If you receive an error that your identity does not have the correct permissions, wait a minute and try again.

Step 4. - Configure an time-based retention policy and an encryption scope.

1. The developers require a storage container where files can’t be modified, even by the administrator.
Learn more about blob immutable storage.

Navigate to your storage account.
In the Data storage section, select the Containers blade.
Create a container called hold. Take the defaults. Be sure to Create the container.

Upload a file to the container.
Navigate to the container.

In the Settings section, select the Access policy blade.
In the Immutable blob storage section, select + Add policy.
For the Policy type, select time-based retention.
Set the Retention period to 5 days.
Be sure to Save your changes.

Try to delete the file in the container.
Verify you are notified failed to delete blobs due to policy.

2. The developers require an encryption scope that enables infrastructure encryption.
Find our more about infrastructure encryption.

Navigate back to your storage account.
In the Security + networking blade, select Encryption.
In the Encryption scopes tab, select Add.
Give your encryption scope a name.
The Encryption type is Microsoft-managed key.
Set Infrastructure encryption to Enable.
Create the encryption scope.

Return to your storage account and create a new container.
Notice on the New container page, there is the Name and Public access level.
Notice in the Advanced section you can select the Encryption scope you created and apply it to all blobs in the container.

Setting up Azure shared file storage for a department in a Company

Stephen Onyewuchi — Wed, 30 Oct 2024 11:46:41 +0000

Step 1- Create and configure a storage account for Azure Files.
Step 2- Create and configure a file share with directory.
Step 3- Configure and test snapshots.
Step 4- Configure restricting storage access to selected virtual networks.

Step 1- Create and configure a storage account for Azure Files.

1. Create a storage account for the finance department’s shared files.

In the portal, search for and select Storage accounts.

Select + Create.

For Resource group select Create new. Give your resource group a name and select OK to save your changes.
Provide a Storage account name. Ensure the name meets the naming requirements.
Set the Performance to Premium.
Set the Premium account type to File shares.
Set the Redundancy to Zone-redundant storage.
Select Review and then Create the storage account.

Wait for the resource to deploy.
Select Go to resource.

Step 2- Create and configure a file share with directory.

1. Create a file share for the corporate office. Learn more about Azure File tiers.

In the storage account, in the Data storage section, select the File shares blade.

Select + File share and provide a Name.
Review the other options but take the defaults.

Select Review + Create

2. Add a directory to the file share for the finance department. For future testing, upload a file.

Select your file share and select + Add directory.
Name the new directory finance.
Select Browse and then select the finance directory.
Notice you can Add directory to further organize your file share.

Upload a file of your choosing.

Step 3- Configure and test snapshots.

1. Similar to blob storage, you need to protect against accidental deletion of files. You decide to use snapshots. Learn more about file snapshots.

Select your file share.
In the Operations section, select the Snapshots blade.
Select + Add snapshot. The comment is optional. Select OK.

Select your snapshot and verify your file directory and uploaded file are included.

2. Practice using snapshots to restore a file.

Return to your file share.
Browse to your file directory.
Locate your uploaded file and in the Properties pane select Delete. Select Yes to confirm the deletion.

Select the Snapshots blade and then select your snapshot.
Navigate to the file you want to restore,
Select the file and the select Restore.

Provide a Restored file name.

Verify your file directory has the restored file.

Step 4- Configure restricting storage access to selected virtual networks.

1. This tasks in this section require a virtual network with subnet. In a production environment these resources would already be created.

Search for and select Virtual networks.

Select + Create. Select your resource group and give the virtual network a name.

Take the defaults for other parameters, select Review + create, and then Create.
Wait for the resource to deploy.

Select Go to resource.

In the Settings section, select the Subnets blade.
Select the default subnet.
In the Service endpoints section choose Microsoft.Storage in the Services drop-down.
Do not make any other changes.

Be sure to Save your changes.

2. The storage account should only be accessed from the virtual network you just created.

Return to your files storage account.
In the Security + networking section, select the Networking blade.
Change the Public network access to Enabled from selected virtual networks and IP addresses.
In the Virtual networks section, select Add existing virtual network.

Select your virtual network and subnet, select Enable, then Add.
Be sure to Save your changes.
Select the Storage browser and navigate to your file share.

Verify the message not authorized to perform this operation. You are not connecting from the virtual network.

CREATING PRIVATE STORAGE FOR INTERNAL COMPANY DOCUMENTS

Stephen Onyewuchi — Wed, 30 Oct 2024 09:50:10 +0000

Create a storage account and configure high availability.
1.Create a storage account for the internal private company documents
2.Configure the appropriate level of redundancy.
Create a storage container, upload a file, and restrict access to the file.
1.Create a private storage container for the corporate data.
2.Test to ensure the file is not publicly accessible.
3.Configure and test a shared access signature (SAS)
Configure storage access tiers and content replication.
1.Configure to move blobs from the hot tier to the cool tier
2.Backup public website files to another storage account.

Create a storage account and configure high availability.

1. Create a storage account for the internal private company documents.

In the portal, search for and select Storage accounts.

Select + Create.

Select the Resource group created in the previous lab.
Set the Storage account name to private. Add an identifier to the name to ensure the name is unique.
Select Review, and then Create the storage account.

Wait for the storage account to deploy, and then select Go to resource.

2. Configure redundancy for the storage account.

In the storage account, in the Data management section, select the Redundancy blade.
Ensure Geo-redundant storage (GRS) is selected.

Refresh the page.
Review the primary and secondary location information.
Save your changes.

Create a storage container, upload a file, and restrict access to the file.

1. Create a private storage container for the corporate data.

In the storage account, in the Data storage section, select the Containers blade.
Select + Container.
Ensure the name of the container is private.
Ensure the Public access level is Private (no anonymous access).
As you have time, review the Advanced settings, but take the defaults.

Select Create.

2. Test to ensure the file is not publicly accessible.

Select the container.
Select Upload.
Browse to files and select a file.
Upload the file.

Select the uploaded file.
On the Overview tab, copy the URL.

Paste the URL into a new browser tab.
Verify the file doesn’t display and you receive an error.

3. Configure and test a shared access signature (SAS)

Select your uploaded blob file and move to the Generate SAS tab.

In the Permissions drop-down, ensure the partner has only Read permissions.
Verify the Start and expiry date/time is for the next 24 hours.
Select Generate SAS token and URL.

Copy the Blob SAS URL to a new browser tab.

Verify you can access the file. If you have uploaded an image file it will display in the browser. Other file types will be downloaded.

Configure storage access tiers and content replication.

1. Configure to move blobs from the hot tier to the cool tier

Return to the storage account.
In the Overview section, notice the Default access tier is set to Hot.

In the Data management section, select the Lifecycle management blade.
Select Add rule.

Set the Rule name to movetocool.
Set the Rule scope to Apply rule to all blobs in the storage account.

Select Next.
Ensure Last modified is selected.
Set More than (days ago) to 30.
In the Then drop-down select Move to cool storage.
As you have time, review other lifecycle options in the drop-down.

Add the rule.

2. Backup public website files to another storage account.

In your storage account, create a new container called backup. Use the default values.

Navigate to your publicwebsite storage account. This storage account was created previously.
In the Data management section, select the Object replication blade.
Select Create replication rules.

Set the Destination storage account to the private storage account.
Set the Source container to public and the Destination container to backup.

Create the replication rule.
Optionally, as you have time, upload a file to the public container.

Return to the private storage account and refresh the backup container. Within a few minutes your public website file will appear in the backup folder.

How to Create storage for a public website with high availability

Stephen Onyewuchi — Fri, 20 Sep 2024 17:18:10 +0000

Introduction to Azure storage, containers and blobs.
Step 1: Create a storage account with high availability.
Step 2: Create a blob storage container with anonymous read access
Step 3: Practice uploading files and testing access.
Step 4: Configure soft delete
Step 5: Configure blob versioning

Introduction

Azure Storage is a great option for hosting a public website. For blobs and containers, Azure Storage offers optional anonymous read access. Anonymous access to your data is never allowed by default. Authorization is required for all requests to a container and its blobs unless you specifically permit anonymous access. Clients can read data in a container without requesting authorization when the access level setting for that container is set to allow anonymous access.
NOTE: Any client can read data from a container that has been set up for anonymous access. We advise you to remove anonymous access from the storage account if it is not needed in your case because it poses a security risk.

Step guide on how to setup storage for public website:

Step 1: Create a storage account with high availability.

Create a storage account for the public website.

In the portal, search for and select Storage accounts.

Select + Create.

For resource group select new. Give your resource group a name and Select OK.
Set the Storage account name to publicwebsite. Make sure the storage account name is unique by adding an identifier.
Leave the default for other settings.
Select Review + Create.

Wait for the storage account to deploy, and then select Go to resource.

2.The storage requires high availability if there is a regional outage. Additionally, enable read access to the secondary region.

In the storage account, in the Data management section, select the Redundancy blade.
Ensure Read-access Geo-redundant storage is selected.

Review the primary and secondary location information.

3.Information on the public website should be accessible without requiring customers to login.

In the storage account, in the Settings section, select the Configuration blade.
Ensure the Allow blob anonymous access setting is Enabled.

Be sure to Save your changes.

Step 2: Create a blob storage container with anonymous read access

The public website has various images and documents. Create a blob storage container for the content.

In your storage account, in the Data storage section, select the Containers blade.
Select + Container.
Ensure the Name of the container is public.

Select Create.

2.Customers should be able to view the images without being authenticated. Configure anonymous read access for the public container blobs.

Select your public container.
On the Overview blade, select Change access level.
Ensure the Public access level is Blob (anonymous read access for blobs only).

Select OK.

Step 3: Practice uploading files and testing access.

For testing, upload a file to the public container. The type of file doesn’t matter. A small image or text file is a good choice.

Ensure you are viewing your container.
Select Upload.
Browse to files and select a file of your choice.
Select Upload.
Close the upload window, Refresh the page and ensure your file was uploaded.

2.Determine the URL for your uploaded file. Open a browser and test the URL.

Select your uploaded file.
On the Overview tab, copy the URL.
Paste the URL into a new browser tab.

The uploaded image file will display in the browser. Other file types should be downloaded.

Step 4: Configure soft delete

It’s important that the website documents can be restored if they’re deleted. Configure blob soft delete for 21 days.

Go to the Overview blade of the storage account.
On the Properties page, locate the Blob service section.

Select the Blob soft delete setting.
Ensure the Enable soft delete for blobs is checked.
Change the Keep deleted blobs for (in days) setting to 21.
Notice you can also Enable soft delete for containers.

Don’t forget to Save your changes.

2.If something gets deleted, you need to practice using soft delete to restore the files.

Navigate to your container where you uploaded a file.
Select the file you uploaded and then select Delete.
Confirm to Delete the file.

On the container Overview page, toggle the slider Show deleted blobs. This toggle is to the right of the search box.

Select your deleted file, and use the ellipses(...) on the far right, to Undelete the file.
Refresh the container and confirm the file has been restored.

Step 5: Configure blob versioning

It’s important to keep track of the different website product document versions.

Go to the Overview blade of the storage account.
In the Properties section, locate the Blob service section.
Select the Versioning setting.

Ensure the Enable versioning for blobs checkbox is checked.
Check the option to keep all versions or delete versions after.

Don’t forget to Save your changes.

2.As you have time experiment with restoring previous blob versions.

Upload another version of your container file. This overwrites your existing file.

Your previous file version is listed on Show deleted blobs page.

Creating Azure Resource Group and Storage

Stephen Onyewuchi — Wed, 18 Sep 2024 12:27:29 +0000

What is Azure Cloud Storage
Important Azure Storage Features
Steps on setting up a storage account and resource group
Step 1: Create a resource group and a storage account.
Step 2: Configure simple settings in the storage account.

What is Azure Cloud Storage?

Microsoft Azure offers a full range of cloud storage services, including Azure Cloud Storage. For a wide range of data objects, it provides highly accessible, massively scalable, robust, and secure storage.

Here are a few essential elements:

Azure Blob Storage: Object storage that is incredibly scalable for unstructured data, such as binary and text data. It's perfect for keeping a lot of data, including backups, movies, and pictures.
Azure Files: Managed file shares accessible using the SMB protocol are called Azure Files. File share-dependent legacy programs can benefit from this migration.
Azure Disk Storage: High-performance, long-lasting block storage for Azure virtual machines is provided via Azure Disk Storage.
Azure Data Lake Storage: This combines the performance and dependability of a data lake with the scalability and financial advantages of object storage.

Important Azure Storage Features

Global Accessibility: HTTP/HTTPS is available everywhere. Data is perfect for scattered teams and worldwide applications since it can be accessed from any location.
Arrangement and Enhancement: Add metadata to data and have it automatically layer between hot and cold storage. Effective data classification and retrieval is aided by metadata. Storage costs are optimized via automatic tiering according to access frequency.
Security: Security features include many access control choices and default data encryption. For increased security, role-based access control (RBAC), encryption both in transit and at rest, and connection with Azure Active Directory are provided.
Scalability: Able to adapt to increasing data requirements with ease. Suitable for applications with varying workloads, it can handle millions of requests per second and petabytes of data.
Ease of Use: Simple to use interface and extensive documentation make it easy to use. Application development is made easier by integration with SDKs and development tools for different programming languages.

Steps on setting up a storage account and resource group

Step 1: Create a resource group and a storage account.

Create and deploy a resource group to hold all your project resources.

In the Azure portal, search for and select Resource groups.

Select + Create.

Give your resource group a name. For example, stephen_o.

Select a Region. Use this region throughout the project.

Select Review + create to validate the resource group.

Select Create to deploy the resource group.

Create and deploy a storage account to support testing and training.

In the Azure portal, search for and select Storage accounts.

Select + Create.

On the Basics tab, select your Resource group.
Provide a Storage account name. The storage account name must be unique in Azure.
Set the Performance to Standard.
Select Review, and then Create.

Wait for the storage account to deploy and then Go to resource.

Step 2: Configure simple settings in the storage account.

The data in this storage account doesn’t require high availability or durability. A lowest cost storage solution is desired.

In your storage account, in the Data management section, select the Redundancy blade.
Select Locally-redundant storage (LRS) in the Redundancy drop-down.
Be sure to Save your changes.

Refresh the page and notice the content only exists in the primary location.

2.The storage account should only accept requests from secure connections.

In the Settings section, select the Configuration blade.
Ensure Secure transfer required is Enabled.

3.Developers would like the storage account to use at least TLS version 1.2.

In the Settings section, select the Configuration blade.
Ensure the Minimal TLS version is set to Version 1.2.

4.Until the storage is needed again, disable requests to the storage account.

In the Settings section, select the Configuration blade.
Ensure Allow storage account key access is Disabled.

Be sure to Save your changes.

5.Ensure the storage account allows public access from all networks.

In the Security + networking section, select the Networking blade.
Ensure Public network access is set to Enabled from all networks.

Be sure to Save your changes.
Back to top

Cloud Computing, Storage and Terminologies

Stephen Onyewuchi — Wed, 18 Sep 2024 12:23:42 +0000

What is Cloud Computing

Cloud computing is the provision of different computing services via the internet, sometimes known as "the cloud," is known as cloud computing. Servers, storage, databases, networking, software, analytics, and intelligence are some of these services.

The following are some essential features of cloud computing:

Contingent Self-Service: Without assistance from a service provider, customers can use computer resources as needed.
Wide-ranging Network Access: Applications can be accessed via the network using a variety of devices, including laptops, tablets, and smartphones.
Resource Pooling: In order to service a number of customers, providers pool their resources and dynamically allocate and reallocate them in response to demand.
Rapid Elasticity: The ability to quickly scale up or down resources in response to demand
Measured Service: The provider and customer benefit from transparency as resource utilization is tracked, managed, and reported.

A few advantages of cloud computing are lower costs, more speed and agility, and the capacity to scale resources in response to demand.

Forem: Stephen Onyewuchi

Providing storage with secure access for an app using managed identity and role-based access control

Table of contents

Step 1. - Create the storage account and managed identity

Step 2. - Secure access to the storage account with a key vault and key

Step 3. - Configure the storage account to use the customer managed key in the key vault

Step 4. - Configure an time-based retention policy and an encryption scope.

Setting up Azure shared file storage for a department in a Company

Table of contents

Step 1- Create and configure a storage account for Azure Files.

Step 2- Create and configure a file share with directory.

Step 3- Configure and test snapshots.

Step 4- Configure restricting storage access to selected virtual networks.

CREATING PRIVATE STORAGE FOR INTERNAL COMPANY DOCUMENTS

Table of contents

Create a storage account and configure high availability.

Create a storage container, upload a file, and restrict access to the file.

Configure storage access tiers and content replication.

How to Create storage for a public website with high availability

Table of contents

Introduction

Step guide on how to setup storage for public website:

Step 1: Create a storage account with high availability.

Step 2: Create a blob storage container with anonymous read access

Step 3: Practice uploading files and testing access.

Step 4: Configure soft delete

Step 5: Configure blob versioning

Creating Azure Resource Group and Storage

Table of contents

What is Azure Cloud Storage?

Here are a few essential elements:

Important Azure Storage Features

Steps on setting up a storage account and resource group

Step 2: Configure simple settings in the storage account.

Cloud Computing, Storage and Terminologies

What is Cloud Computing