Azure Blob Storage is a versatile and scalable storage solution that supports a wide range of use cases, from hosting static websites to serving as a data lake.
In this guide, we will walk through creating a secure and monitored Azure Blob Storage setup.
You’ll learn how to set up a storage account, restrict access using network rules, and enable audit logging to track access and modifications.
By the end of this tutorial, you will have a robust Azure Blob Storage configuration ready to handle secure data storage and monitoring.
Step 1: Setting Up the Storage Account and Blob Container
The first step is to create an Azure Storage Account and a Blob Container:
Navigate to the Azure Portal and create a new Storage Account.
Choose the following settings:
Performance: Standard
Replication: Locally-redundant storage (LRS)
Access Tier: Hot
Once the account is created, go to the Containers tab and add a new container.
Set the container’s public access level to Blob
Step 2: Configuring SAS Tokens for Controlled Access
Shared Access Signatures (SAS) provide a secure way to grant limited access to your Blob Storage resources.
Go to your Storage Account in the Azure Portal.
Navigate to Shared Access Signature under the Security + Networking section.
Configure the SAS token with the following:
Allowed Services: Blob
Allowed Resource Types: Object
Permissions: Read, Write, List
Generate the SAS token and note down the URL.
Test the SAS Token
Use the generated SAS URL in a browser or tool like curl to ensure access is restricted to the defined permissions and validity period.
Step 3: Restricting Access Using Network Rules
To enhance security, limit access to the storage account using virtual network rules:
In your Storage Account, go to Networking.
Under Firewall and virtual networks, select Selected networks.
Add your current virtual network or IP ranges that are allowed access.
Test the setup by attempting access from an IP outside the allowed range.
Step 4: Enabling and Verifying Audit Logging
Enable logging to monitor all interactions with your Blob Storage.
Navigate to your Storage Account and select Diagnostics settings.
Configure a new diagnostic setting:
Log categories: Blob Read, Blob Write, and Blob Delete
Destination: Log Analytics Workspace
Save the configuration.
Verify Audit Logs:
Run a test operation, such as uploading a file to the Blob Container.
Use the Log Analytics query:
AzureDiagnostics
| where OperationName == "PutBlob"
Conclusion
In this project, we set up a secure Azure Blob Storage solution, enabling controlled access through SAS tokens and network rules while ensuring all activities are logged for auditing.
This foundational setup is crucial for building more complex workflows, such as serverless event processing using Azure Functions.
Automation
If you’re looking for an automated version of this project, complete with Bicep templates for seamless deployment, head over to my GitHub repository where you’ll find everything you need to get started.
For detailed walkthroughs and insights, make sure to follow me on the Azure Roadmap YouTube Channel, where I regularly share tutorials and best practices for mastering Azure architecture.