Azure Blob storage security queries

SecGlad 41 Reputation points
2023-05-11T16:01:44.17+00:00

While researching about azure blob storage, i read a lot of things about why public blob storage are vulnerable to attacks, but what if the customer requirements wants me to expose my storage, won't a secure tranfer enabled(HTTPS) on storage account plus azure firewall maybe a NSG as well, , will be enough to protect my storage? Why do we go for an overkill to enable seccure transfer (HTTPS) over a VPN connection and use a private link, how is it performance in this case?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
592 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,563 questions
{count} votes

Accepted answer
  1. ChaitanyaNaykodi-MSFT 24,086 Reputation points Microsoft Employee
    2023-05-11T22:22:43.2433333+00:00

    @SecGlad

    Welcome to the Microsoft Q&A forum.

    Based on your questions above.

    what if the customer requirements wants me to expose my storage, won't a secure tranfer enabled(HTTPS) on storage account plus azure firewall maybe a NSG as well, , will be enough to protect my storage?

    In order to provide additional security you can follow the checklist mentioned in this Microsoft Azure Well Architecture Framework documentation for Azure Storage. Azure Storage Accounts are ideal for workloads that require fast and consistent response times, or that have a high number of input output (IOP) operations per second. In addition to enabling HTTPS and Azure Firewall you can also go through the checklist in documentation shared above. I am listing some of them below.

    • Enable Azure Defender for all your storage accounts.
    • Use Azure AD to authorize access to blob data.
    • Enable the Secure transfer required option on all your storage accounts.
    • Limit shared access signature (SAS) tokens to HTTPS connections only.

    will be enough to protect my storage? Why do we go for an overkill to enable seccure transfer (HTTPS) over a VPN connection and use a private link, how is it performance in this case?

    Having HTTPS and VPN both will have effect on the performance (latency will increase) as the data will be encrypted and decrypted twice. It will be difficult to determine how much the performance will be affected as it will depend on the factors like VPN SKU, Client Network bandwidth etc.

    Additional References:

    https://learn.microsoft.com/en-us/azure/storage/blobs/storage-performance-checklist

    Hope this helps! Please let me know if you have any additional questions. Thank you!


    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. msrini-MSFT 9,266 Reputation points Microsoft Employee
    2023-05-21T17:48:47.3766667+00:00

    Hi,

    I believe you can change the SA tire from public to Private and recommend customer to generate SAS token to securely access the blobs.

    You can learn more about it here: https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview

    Regards,

    Karthik Srinivas

    0 comments No comments