How publicly accessible is data in an Azure Storage account?

Dan Temple 20 Reputation points
2023-07-10T08:46:14.6333333+00:00

We have a storage account for use only by a FunctionApp. In the Networking section, it is set to "Enabled from all networks".

Does this mean that data in the storage account can be downloaded without authentication? For example, blob storage?

Or, is it still only accessible from an account or a service that is authenticated in some way, like the FunctionApp?

It looks complex to start adding Virtual Networks so we can turn off the "all networks" option, so just want to be sure we're not completely "open to all" with the "all networks" option.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,320 questions
0 comments No comments
{count} votes

Accepted answer
  1. Rishikesh Singh 470 Reputation points
    2023-07-10T08:58:58.5966667+00:00

    You still need to be authenticated, even if your storage is public.

    Public access to your data is always prohibited by default. There are two separate settings that affect public access:
    
        Allow public access for the storage account. By default, an Azure Resource Manager storage account allows a user with the appropriate permissions to enable public access to a container. Blob data is not available for public access unless the user takes the additional step to explicitly configure the container's public access setting.
        Configure the container's public access setting. By default, a container's public access setting is disabled, meaning that authorization is required for every request to the container or its data. A user with the appropriate permissions can modify a container's public access setting to enable anonymous access only if anonymous access is allowed for the storage account.
    
    The following table summarizes how both settings together affect public access for a container.
    	Public access level for the container is set to Private (default setting) 	Public access level for the container is set to Container 	Public access level for the container is set to Blob
    Public access is disallowed for the storage account 	No public access to any container in the storage account. 	No public access to any container in the storage account. The storage account setting overrides the container setting. 	No public access to any container in the storage account. The storage account setting overrides the container setting.
    Public access is allowed for the storage account (default setting) 	No public access to this container (default configuration). 	Public access is permitted to this container and its blobs. 	Public access is permitted to blobs in this container, but not to the container itself.
    
    When anonymous public access is permitted for a storage account and configured for a specific container, then a request to read a blob in that container that is passed without an Authorization header is accepted by the service, and the blob's data is returned in the response.
    

    Please "Accept the answer" if the information helped you. This will help us and others in the community as

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.