How do i send a file from an app that runs in aws to azure blob storage that is in other orginization?

Question

My app is running on aws, i want to upload files from my app to an azure blob storage that relates to other organization.
We don't want to pass/maintain any keys.. (like using sas / connection string)

I thought of cross account access solution. but I have no idea how it works in azure..

Answer 1

Hi, @Mohsen Abdalla

I suggest two methods.

---

Suggestion 1:

The best access management method for Azure Blob Storage is Azure AD based management without shared keys or SAS.

Applications can be authenticated by Azure AD and obtain OAuth 2.0 tokens. You can then use that token to authorize requests to the Blob service.

There are many ways to integrate Azure AD into your application. Please check the following documentation:

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/auth-sync-overview

---

Suggestion 2:
You can also connect AWS VPC and Azure VNET with VPN etc. and restrict access to Azure Storage only from specific networks.

https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints

Answer 2

@Mohsen Abdalla
Thank you for reaching out to Microsoft Q&A. Adding to the above answer..

I understand that you want to send a file from an app in AWS to Azure Blob storage in another org and want to know how you can achieve the same without passing sas/connection string.

So, when you say another org., is it another subscription?

In general, for connecting AWS to Azure Storage, here some ways -

Use Azure Dat factory: Azure Data Factory is useful if you do not want to use SAS keys or connection strings.
Resources: https://azure.microsoft.com/en-us/blog/move-your-data-from-aws-s3-to-azure-storage-using-azcopy/
https://learn.microsoft.com/en-us/azure/data-factory/connector-azure-data-lake-storage?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&tabs=data-factory

Integrate AWS with Azure AD

Resources:

1. https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/aws-multi-accounts-tutorial
2. https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-web-service-tutorial
3. https://www.youtube.com/watch?v=WSd0POCqklY

Hope this helps.

Please let us know if you have any more questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.

Answer 3

@Mohsen Abdalla To connect multiple subscriptions, you can with the below setup -

Create a virtual network peering - Resource Manager, different subscriptions and Azure Active Directory tenants- https://learn.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions

In this, the virtual networks exist in different subscriptions that may belong to different Azure Active Directory (Azure AD) tenants. Peering two virtual networks enables resources in different virtual networks to communicate with each other.

However, you will need to enable private endpoint for the secondary account so you can connect to the same. Here are details on how to setup a private endpoint for a storage account- https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal

Once you do the same, you can use the private IP of the storage endpoint and connect to it via Vnet peering from your client after allowing the client IP range in the allowed networks in the Storage Firewall. Hope this helps.

Please let us know if you have any more questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.