Welcome to the Microsoft Q&A forum.
Based on your questions above.
what if the customer requirements wants me to expose my storage, won't a secure tranfer enabled(HTTPS) on storage account plus azure firewall maybe a NSG as well, , will be enough to protect my storage?
In order to provide additional security you can follow the checklist mentioned in this Microsoft Azure Well Architecture Framework documentation for Azure Storage. Azure Storage Accounts are ideal for workloads that require fast and consistent response times, or that have a high number of input output (IOP) operations per second. In addition to enabling HTTPS and Azure Firewall you can also go through the checklist in documentation shared above. I am listing some of them below.
- Enable Azure Defender for all your storage accounts.
- Use Azure AD to authorize access to blob data.
- Enable the Secure transfer required option on all your storage accounts.
- Limit shared access signature (SAS) tokens to
HTTPS
connections only.
will be enough to protect my storage? Why do we go for an overkill to enable seccure transfer (HTTPS) over a VPN connection and use a private link, how is it performance in this case?
Having HTTPS and VPN both will have effect on the performance (latency will increase) as the data will be encrypted and decrypted twice. It will be difficult to determine how much the performance will be affected as it will depend on the factors like VPN SKU, Client Network bandwidth etc.
Additional References:
https://learn.microsoft.com/en-us/azure/storage/blobs/storage-performance-checklist
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.