Configure Video Indexer to work with storage accounts behind firewall
Important
Due to the Azure Media Services retirement announcement, Azure AI Video Indexer announces Azure AI Video Indexer features adjustments. See Changes related to Azure Media Service (AMS) retirement to understand what this means for your Azure AI Video Indexer account. See the Preparing for AMS retirement: VI update and migration guide.
When you create a Video Indexer account, you must associate it with an Azure Storage account. Video Indexer can access the storage account using system authentication or Managed Identity authentication. Video Indexer validates that the user adding the association has access to the storage account with Azure Resource Manager Role Based Access Control (RBAC).
If you want to use a firewall to secure your storage account and enable trusted storage, Managed Identities authentication that allows Video Indexer access through the firewall is the preferred option. It allows Video Indexer to access the storage account that has been configured without needing public access for trusted storage access.
Important
When you lock your storage accounts without public access be aware that the client device you're using to download the video source file using the Video Indexer portal will be the source ip that the storage account will see and allow/deny depending on the network configuration of your storage account. For instance, if I'm accessing the Video Indexer portal from my home network and I want to download the video source file a sas url to the storage account is created, my device will initiate the request and as a consequence the storage account will see my home ip as source ip. If you did not add exception for this ip you will not be able to access the SAS url to the source video. Work with your network/storage administrator on a network strategy i.e. use your corporate network, VPN or Private Link.
Follow these steps to enable Managed Identity for Storage and then lock your storage account. It's assumed that you already created a Video Indexer account and associated the Storage account.
Assign the Managed Identity and role
Follow all of the steps for creating an Azure AI Video Indexer account, but also use the steps below:
- When you select Assign Role, the following roles are assigned:
Azure Media Services : ContributorandAzure Storage : Storage Blob Data Owner. You can verify or manually set assignments by navigating to the Identity menu of your Video Indexer account and selecting Azure Role Assignments. - Navigate to your Storage account. Select Networking from the menu and select Enabled from selected virtual networks and IP addresses in the Public network access section.
- Under Exceptions, make sure that Allow Azure services on the trusted services list to access this storage account is selected.
Upload from locked storage account
When uploading a file to Video Indexer you can provide a link to a video using a SAS locator. If the storage account hosting the video is not publicly accessible, use the Managed Identity and Trusted Service approach. Since there is no way to know if a SAS url is pointing to a locked storage account, explicitly set the query parameter useManagedIdentityToDownloadVideo to true in the upload-video API call.
You also need to set the role Azure Storage : Storage Blob Data Owner on this storage account as you did with the storage account.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for