VPN and networking config for secure upload to ADLS Gen2 storage account?

Peter Daniels 20 Reputation points
2024-05-09T14:59:36.4666667+00:00

I'm looking into network architectures and security for implementing secure access from user laptops into Azure to upload files to ADLS Gen2 data lake blob containers. We have no on-prem network or AD - just individual user laptops. We do have MS Entra ID accounts for these users since they are using M365 and Power BI Pro licenses.

Option 1) The simplest would be to open up the Public network to the storage account and choose Secure Transfer for TLS/HTTPS. Then lock the BLOB containers down with RBAC/ACL/etc. Should I roll with that or it it not secure enough for sensitive data?

Option 2) I started going down the path of implementing Azure VPN, vNet, p2S config, private endpoint for the storage account, etc. The storage account was in a subnet in the vNet that was also associated with the virtual network gateway. I got the VPN up and running and connected to it from my laptop, but was unable to connect to the storage account. Not sure what I was missing. DNS perhaps? Routes? Also, I found out quickly that a VpnGw2 was more $ than this org wanted to pay.

Main question is this: Is the public endpoint for ADLS Gen2 secure enough for sensitive data or should I continue to look at a P2S VPN solution. If I really should use the VPN solution, can someone help me figure out the right config so that users connected to the VPN can upload files to the ADLS Gen2 storage blob containers?

TIA,

-Peter

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,500 questions
0 comments No comments
{count} votes

Accepted answer
  1. Anand Prakash Yadav 7,805 Reputation points Microsoft Vendor
    2024-05-14T11:30:57.7433333+00:00

    Hello Peter Daniels,

    Thank you for posting your query here!

    Option 1: Public Endpoint with Secure Transfer and RBAC/ACL Azure Data Lake Storage Gen2 (ADLS Gen2) does provide some security features. It supports both encryption-in-transit and encryption-at-rest. However, it has limited data security (no row-level, column-level, dynamic data masking, etc.). While this option might be simpler, it might not provide the level of security you need for sensitive data.

    Option 2: Azure VPN, vNet, P2S Config, Private Endpoint This option provides a higher level of security. The use of a VPN ensures that data is securely transmitted over the internet. However, the configuration can be complex, and the cost might be a concern.

    To answer your main question, while the public endpoint for ADLS Gen2 does provide some security, it might not be sufficient for sensitive data. Therefore, it would be advisable to continue looking at a P2S VPN solution.

    As for configuring the P2S VPN, there are several resources available that can guide you through the process. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal

    Here are the general steps you might need to follow:

    Create a Virtual Network Gateway on Azure (VPN): This involves selecting your organization subscription, resource group, region, gateway type (VPN), VPN type (Route Based), SKU (VpnGw2), and generation (Generation2).

    Create a Self-Signed Certificate for P2S Connection: This is necessary for certificate-based authentication.

    Export Root and Child Certificates: These certificates will be used for client authentication.

    Configure Azure Point to Site VPN: This involves configuring the necessary VPN Gateway point-to-site (P2S) server settings.

    P2S VPN Installation on Client Machine: The VPN client is configured using VPN client configuration files.

    Do let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


1 additional answer

Sort by: Most helpful
  1. Amrinder Singh 5,155 Reputation points Microsoft Employee
    2024-05-09T17:38:28.6333333+00:00

    Hi Peter Daniels - Thanks for reaching out.

    From storage perspective,

    For the option1, with usage or RBAC and ACL's it helps in provide granular access w.r.t. access however it is inclined towards data plane and no networking configuration or access via Public Network.

    For the option2, this is like an additional layered approach by adding an extra layer on top of Data plane to restrict access first based on authorized network such as certain IP's in the firewall list, VNET/Subnet or even using private endpoint. Below link talks about these different configurations.

    https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal

    Once the call is made to storage for accessing the data, it will be first evaluated for network layer auth i.e. the call coming from a authorized network. Once that is successful, further data plane permissions are evaluated in terms of RBAC/ACL permissions for the operation.

    Please let us know if you have any further queries. I’m happy to assist you further.    


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.