EMMANUEL

Posted on Jul 11 • Edited on Jul 12

How to provide private storage for internal company documents.

#cloud #programming #webdev #java

Private storage account refers to a cloud storage account that is not publicly accessible over the internet access is restricted to ensure data confidentiality and security. It is configured to deny anonymous or public access. Only authenticated users, services, or networks can access it usually via: Private endpoints, Virtual networks (VNets), Access control policies (like IAM, RBAC, or ACLs), ** **Encryption at rest and in transit

Architecture diagram

Create a storage account and configure high availability
Steps
1.Create a storage account for the internal private company documents. Steps:

(a) Login to Azure portal.

(b) In the portal, search for and select the grayed Storage accounts.

(d) Select the **Resource group **created in the previous lab.

(e) Set the Storage account name to private. Add an identifier to the name to ensure the name is unique.

(f) Select Review + Create and then Create the storage account.

Create

(g) Wait for the storage account to deploy, and then select Go to resource.

2.This storage requires high availability if there’s a regional outage. Read access in the secondary region is not required. Configure the appropriate level of redundancy. Steps:

(a) In the storage account, in the Data management section, select the Redundancy blade

(b) Ensure Geo-redundant storage (GRS) is selected.

Create a storage container, upload a file, and restrict access to the file Steps:
1.Create a private storage container for the corporate data.

(a) Go the storage account, in the ** Data storage** section, select the Containers blade. Select + Container.

(b) Ensure the Name of the container is private. Ensure the Public access level is Private (no anonymous access)

2.For testing, upload a file to the private container. the type of file doesn’t matter. A small image or text file is a good choice. Test to ensure the file isn’t publically accessible Steps:

(a) Select the container.

(b) Select Upload

(d) Select the uploaded file

(e) On the Overview tab, copy the URL.

(f) Paste the URL into a new browser tab. Verify the file doesn’t display and you receive an error.

(3) If external partner requires read, to write access to the file for at least the next 24 hours. Configure and test a shared access signature (SAS). Steps:

(a) Select your uploaded blob file and move to the Generate SAS tab.

(b) In the Permissions drop-down, ensure the partner has only Read permissions.

(d) Select Generate SAS token and URL

(e) Copy the Blob SAS URL to a new browser tab.

(f) Verify you can access the file. If you have uploaded an image file, it will display in the browser. Other file types will be downloaded.

** Configure storage access tiers and content replication**

1.To save on costs, after 30 days, move blobs from the hot tier to the cool tier Steps:

(a) Go to the storage account. In the Overview **section, notice the **Default access tier is set to Hot.

(b) In the Data management section, select the Lifecycle management ** blade. Select **Add rule.

(c) Set the Rule name to movetocool. Set the Rule scope to Apply rule to all blobs in the storage account. Select Next.

(d) Ensure Last modified is selected. Set More than (days ago) to 30. In the Then drop-down select Move to cool storage.** Add** the rule.

2.The public website files need to be backed up to another storage account. Steps:

(a)In your storage account, create a new container called backup. Use the default values.

(b)Navigate to your publicwebsite storage account. This storage account was created enabling its blob anonymous access. In the Data management section, select the Object replication blade. Select Create replication rules