How do i send a file from an app that runs in aws to azure blob storage that is in other orginization?

Mohsen Abdalla 1 Reputation point
2022-09-06T16:19:57.57+00:00

My app is running on aws, i want to upload files from my app to an azure blob storage that relates to other organization.
We don't want to pass/maintain any keys.. (like using sas / connection string)

I thought of cross account access solution. but I have no idea how it works in azure..

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,192 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Takahito Iwasa 4,851 Reputation points MVP Volunteer Moderator
    2022-09-06T22:15:01.727+00:00

    Hi, @Mohsen Abdalla

    I suggest two methods.

    ---

    Suggestion 1:

    The best access management method for Azure Blob Storage is Azure AD based management without shared keys or SAS.

    Applications can be authenticated by Azure AD and obtain OAuth 2.0 tokens. You can then use that token to authorize requests to the Blob service.

    There are many ways to integrate Azure AD into your application. Please check the following documentation:

    https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/auth-sync-overview

    ---

    Suggestion 2:
    You can also connect AWS VPC and Azure VNET with VPN etc. and restrict access to Azure Storage only from specific networks.

    https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints

    0 comments No comments

  2. SaiKishor-MSFT 17,336 Reputation points
    2022-09-06T23:21:20.317+00:00

    @Mohsen Abdalla
    Thank you for reaching out to Microsoft Q&A. Adding to the above answer..

    I understand that you want to send a file from an app in AWS to Azure Blob storage in another org and want to know how you can achieve the same without passing sas/connection string.

    So, when you say another org., is it another subscription?

    In general, for connecting AWS to Azure Storage, here some ways -

    Use Azure Dat factory: Azure Data Factory is useful if you do not want to use SAS keys or connection strings.
    Resources: https://azure.microsoft.com/en-us/blog/move-your-data-from-aws-s3-to-azure-storage-using-azcopy/
    https://learn.microsoft.com/en-us/azure/data-factory/connector-azure-data-lake-storage?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&tabs=data-factory

    Integrate AWS with Azure AD

    Resources:

    1. https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/aws-multi-accounts-tutorial
    2. https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-web-service-tutorial
    3. https://www.youtube.com/watch?v=WSd0POCqklY

    Hope this helps.

    Please let us know if you have any more questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    0 comments No comments

  3. SaiKishor-MSFT 17,336 Reputation points
    2022-09-08T17:54:19.687+00:00

    @Mohsen Abdalla To connect multiple subscriptions, you can with the below setup -

    Create a virtual network peering - Resource Manager, different subscriptions and Azure Active Directory tenants- https://learn.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions

    In this, the virtual networks exist in different subscriptions that may belong to different Azure Active Directory (Azure AD) tenants. Peering two virtual networks enables resources in different virtual networks to communicate with each other.

    However, you will need to enable private endpoint for the secondary account so you can connect to the same. Here are details on how to setup a private endpoint for a storage account- https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal

    Once you do the same, you can use the private IP of the storage endpoint and connect to it via Vnet peering from your client after allowing the client IP range in the allowed networks in the Storage Firewall. Hope this helps.

    Please let us know if you have any more questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.