The Private Perimeter
In a corporate environment, not all data is meant for public consumption. Internal documents from payroll spreadsheets to project blueprints require a "Private-First" architecture. Simply setting a password isn't enough; true security means ensuring your storage is invisible to the public web and accessible only from within the company’s trusted network.
This guide focuses on Network Isolation and Private Endpoints. We will walk through the steps to shut down public entry points and create a dedicated, private "tunnel" between your company’s virtual network and your Azure Storage, ensuring your internal documents stay internal.
Create a storage account and configure high availability
Steps:
1. In the Azure portal, search for and select Storage accounts.
2. Select + create
3. Create a Resource group by clicking the Create new but in my case, I am going to select the Resource group created in the previous lab.
4. Set a unique Storage account name and maintain other instance details.
5. Ensure Redundacy is set to Geo-redundant storage (GRS). This is recommended for a backup scenerios. Then select Review + create.
6. Select Create and click Go to resource and deployment is complete.
Create a storage container, upload a file, and restrict access to the file
Steps:
1. In the Data storage section of the Storage account, select and open the container.
2. Click + Add container, input a name and select Create
3. Ensure the anonymous accesss level is set to Private(no anonymous access) and click Ok to save changes.
4. Open the container, click Upload and select Browse for files and click Upload to save a file in the container.
5. Select the uploaded file and copy the URL by clicking the context menu.
6. Paste the URL into a new browser tab to verify the file access denial message.
7. Select your uploaded blob file, set permission to Read, set the access period and then Generate the SAS token and URL, copy the SAS Blob URL. This setthing is required when an external partner need access to the file for some periods which depend on the agreement.
8. Verify access to the file.
Configure storage access tiers and content replication
This is a process to safe cost after some days by moving the blobs from hot tier to cool tier.
Steps
In the Overview section of the storage account, notice the default access tier is set to Hot by defaults. Therefore:
1. Select the Lifecycle management blade in the Data management section and then select Add a rule.
2. Set a Rule name then select Rule scope to Apply rule to all blobs in the storage account and then click Next.
3. Ensure Last modified is selected and set the days of running like selecting More than (days ago) to 30. Then, In the drop-down select Move to cool storage and select Add.
The public website files need to be backed up to another storage account
Steps:
1. In the storage account, create a new container and name it.
2. Navigate to your publicwebsite storage account and in the Data management section, select the Object replication blade and then select + Create replication rules.
3. Set the Destination storage account to the private, Source container to public and Destination container to backup.
Then Create the replication rule.
Public storage account was created earlier
Running a check on the backup settings
- Upload a file in the public container of the public storage account.
- Return to the private storage account and refresh the backup container. Within a few minutes your public website file will appear in the backup folder.
Final Thoughts
Security in the cloud isn't a one-time setup; it’s a series of layers. You have now built a vault that is private by default, cost-optimized by rule, and replicated for safety. You are now ready to manage sensitive enterprise data with the confidence of a cloud architect.
Happy Securing!
Top comments (1)
Welldone Peter!