Storage Accounts - Secure transfer should be enabled

Question

I want to enable secure transfer to storage accounts. I have total 71 storage accounts but before that I need to verify whether traffic is going from http or not to these storage accounts. ( Because if traffic is from http and if we enable https then there would be mess) But I am not sure before enabling secure transfer how to verify whether traffic is going from http or https ?

I would like to hear a answers on the above question.

Thanks in advance

Answer 1

Hello Prasad Atmaram Mali

It looks like you want to verify whether the traffic to your storage accounts is using HTTP or HTTPS before enabling secure transfer Here’s how you can check if your traffic is using HTTP or HTTPS:

1. Azure Monitor Logs: You can set up Azure Monitor to track and log incoming requests to your storage accounts. This will allow you to see how many requests are made over HTTP versus HTTPS. You can use Log Analytics queries to filter and analyze this data.
2. Access Logs: If you have enabled logging for your storage accounts, you can check the access logs (these logs can be stored in a designated storage account) to see the details of each request, including the protocol used.
3. Azure Storage Metrics: Check the metrics available in the Azure portal. Under your storage account's metrics section, you may find relevant information on the types of requests and their protocols.

Once you've verified that there's no HTTP traffic, you can confidently enable secure transfer for all your storage accounts. To set it up, simply go to your storage account settings in the Azure portal and find the "Configuration" section to enable "Secure transfer required."

Note: You can instruct Azure Storage to save diagnostics logs for read, write, and delete requests for the blob, table, and queue services. The data retention policy you set also applies to these logs.

Refer: How to Enable and manage Azure Storage Analytics logs (classic) using Powershell/Portal

If you want to enable secure transfer (HTTPS) for all storage accounts, it's not possible directly. The only way to achieve this is by enabling diagnostic logs for all 70 storage accounts.

---

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Hi Prasad,

I think you want to audit the Secure settings before enabling the settings? From the PS module you can export the SA settings and validate :

Select-AzSubscription -SubscriptionName "ProdSub"

$resourceGroupName = "rg-prod-UKstorage"

$storageAccounts = @(

"stproddata01",

"stprodbackup02",

"stprodanalytics03"

)

$results = foreach ($saName in $storageAccounts) {

$sa = Get-AzStorageAccount `

    -ResourceGroupName $resourceGroupName `

    -Name $saName

[PSCustomObject]@{

    StorageAccount = $sa.StorageAccountName

    ResourceGroup  = $resourceGroupName

    SecureTransfer = $sa.EnableHttpsTrafficOnly

}

}

$results

Based on the results you can apply the settings via Policy.

Hope this helps.

JS

==

Please Accept the answer if the information helped you. This will help us and others in the community as well.