Accessing restricted blob storage from virtual networks and Azure CDN
I decided to isolate Azure storage account behind this blog due to growing number of attacks against this little nice reading corner. I have anyway Azure CDN service enabled and it is perfect tool to get all static content of this blog as close to my dear readers as possible. Azure storage can be expensive and this is why I don’t want unbuffered traffic to land there, specially if it is generated by bunch of bots that doesn’t commit to glory of this blog anyhow. Here’s how to restrict public access to Azure storage account but keeping blob storage open for virtual machines and other Azure services.
What we want to achieve
Here’s the simple overview of architecture components involved to blob storage topic. On this diagram components are connected the way I want it to be finally.
Publisher must have direct access to blob storage from specified static IP. Backend machines must also be able to access blob storage as they publish newly combined and minified CSS and JS files to blob storage automatically. It’s clear that Azure CDN must be able to access blob storage. The last accessor is blog reader from public internet. Readers access static content only through Azure CDN.
Virtual network for virtual machines
As my blog is hosted on virtual machines (VM) then I have virtual network where all these VM-s belong. One of them is directly visible to public internet while others are not directly accessible.
If I restrict access to blob storage then somehow VM-s must still have access to it and for this we need service endpoint to blob storage. This will be the link between vnet and blob storage.
Configuring storage account
The easiest way to restrict access to blob storage and create service endpoint at same time is to configure storage account. With just few moves we will get all settings in place.
Here are the steps I did:
- Open storage account settings in Azure portal
- Move to Firewalls and virtual networks section
- Allow access from selected networks only
- Select your vnet and let Azure to add service end-point there for blob storage
- To firewall address ranges add the IP-s you use to access blob storage (static IP in office or home)
- Important! Add address range of Azure CDN service: 147.243.0.0/16
- Make sure you have selected checkbox “Allow trusted Microsoft services to access this storage account”
- Leave all other settings like they are and click Save.
The whole process takes few minutes of time and I faced no single issue. When file is directly requested from blob storage then the result is XML with error information.
Wrapping up
It’s great how I can control and configure services on Azure I use to host this blog. Keeping expenses under control by restricting access to blob storage may come with some small financial wins. But more important is to avoid mistakes like allowing blog to generate direct links to blob storage when Azure CDN is there to take all static content as close to reader as possible. I’m even more suspicious on aggressive bots that are trying to index things too frequently and therefore generate big amount of storage transactions.
Your point of view caught my eye and was very interesting. Thanks. I have a question for you.
믿을 수 있는 토토커뮤니티
Your point of view caught my eye and was very interesting. Thanks. I have a question for you.
akustik su kaçak bulma cihazı Dairemizde yaşanan su sızıntısını termal kamerayla tespit ettiler. Her aşamayı fotoğrafladılar. Sevim O. https://www.eilanver.com/uskudar-su-tesisatcisi-264
Karayolları su kaçak tespiti Evimi Kırmadan Sorunu Çözdüler: Kırmadan su kaçağı tespiti hizmeti almak çok büyük bir kolaylık. Banyomuzda hiçbir yeri kırmadan problemi buldular. https://casanografica.com/?p=534
Your article helped me a lot, is there any more related content? Thanks!
Your article helped me a lot, is there any more related content? Thanks!
Your point of view caught my eye and was very interesting. Thanks. I have a question for you.
“Your thoughtful approach makes all the difference! I’ve expanded on similar ideas in a recent article—let’s talk!”
An important conversation to have! If anyone would like to explore further, I’ve compiled related materials on my website.
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me.
7gvyyn
wje8jg
ai1ma8
Your article helped me a lot, is there any more related content? Thanks!
Your article helped me a lot, is there any more related content? Thanks!
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.
vbop03
This is such a useful resource—thanks!
What an outstanding work! Anyone interested in the topic will find it a must-read due to your interesting writing style and excellent research. Your inclusion of examples and practical ideas is really appreciated. I appreciate you taking the time to share your wise words.
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me.
qic44a
Thanks for sharing. I read many of your blog posts, cool, your blog is very good.
Thanks for sharing. I read many of your blog posts, cool, your blog is very good.
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.
7mqesz
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.
w881re
2q9vob
Your article helped me a lot, is there any more related content? Thanks!
6tkprj
555
555
555
Wh8H7enO
(724-164-5)
555*991*986*0
555*995*990*0
555*568*563*0
@@xEAwd
555
janw9t
Thank you for your sharing. I am worried that I lack creative ideas. It is your article that makes me full of hope. Thank you. But, I have a question, can you help me?
Your article helped me a lot, is there any more related content? Thanks!
5cwulh
ihu06b
Thank you very much for sharing, I learned a lot from your article. Very cool. Thanks.
vfpyr5
7n41sy
Your point of view caught my eye and was very interesting. Thanks. I have a question for you.
1
555
NrVpUDvQ
1′”
1
555
555
1*555
(1270-710-5)
555
(1427-867-5)
555*354*349*0
(1431-871-5)
@@2YLJY
https://localiweb.com/
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me.
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.
Thank you very much for sharing, I learned a lot from your article. Very cool. Thanks.