Share via

Method to access to blob storage without exposed network

Andrea 131 Reputation points
2024-07-29T08:29:17.0533333+00:00

Hello guys,

I've a question to access to a blob storage account that contain terraform tfstate files, this blob has public network access disabled so there is no method to access to this storage, also there is no VPN and the only bastion service we have is with private access to communicate only with the on-prem network.

On GCP someone told me to use service account impersonation to access storage without publishing blob storage and without bastion/vpn, in practice, first with the Google cli can authenticate himself as a user who gives us authorization to impersonate the service account and then he can directly use the storage account in the code.

I don't know how GCP work but is it possibile on Azure?

thanks

Andrew

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,656 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,690 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amrinder Singh 4,995 Reputation points Microsoft Employee
    2024-07-29T08:56:19.65+00:00

    Hi Andrea - Thanks for reaching out.

    To start with, below is the link that talks about different options of configuring networking level security and connecting to storage via Private endpoint is one of them.

    https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal

    If there is any kind of VNET peering that can be done, you can test that ahead.

    Another recommendation that you mentioned in the second part appears to pointing to usage of Managed Identity wherein you can configure your app as managed identity and provide the necessary roles in order to connect to the storage ahead. I would suggest to review this approach once as well.

    https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview-for-developers?tabs=portal%2Cdotnet

    Hope that helps!

    Please let me know if there are any further queries/concerns, will be glad to assist.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  2. Amrinder Singh 4,995 Reputation points Microsoft Employee
    2024-07-29T09:01:40.5733333+00:00

    Hi Andrea - Thanks for reaching out over Q&A Forum.

     

    To start with, below is the reference link that talks about different network level restriction available on the storage account and connecting via private endpoint is one of them.

    Configure Azure Storage firewalls and virtual networks | Microsoft Learn

     

    I would request you to explore the possibility of VNET peering and then test ahead.

     

    Based on your comment in the second part, it appears to be referring to Manage Identity wherein you can configure the same and then provide the role and permission in order to connect to the storage. Below is the ref link for the same:

    Method to access to blob storage without exposed network - Microsoft Q&A

     

    You can explore this approach as well once as well.

     

    Hope that helps!

    Please let me know if there are any further queries/concerns, will be glad to assist.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.