Configuring network access to the storage account
You can secure your storage account to a specific set of supported networks. For this, you have to configure network rules so that only applications that request data over the specific set of networks can access the storage account. When these network rules are effective, the application needs to use proper authorization on the request. This authorization can be provided by Azure Active Directory credentials for blobs and queues, with an SAS token or a valid account access key.
In the following demonstration, we are going to configure network access to the storage account that we created in the previous step. You can manage storage accounts through the Azure portal, PowerShell, or CLIv2. We are going to set this configuration from the Azure portal. Therefore, we have to perform the following steps:
- Navigate to the Azure portal by opening https://portal.azure.com.
- Go to the storage account that we created in the previous step.
- From the overview blade, in the left-hand menu, select Firewalls and virtual networks:
- To grant access to a virtual network with a new network rule, under Virtual Networks, there are two options to choose from: All networks, which allows traffic from all networks (both virtual and on-premises) and the internet to access the data, and Selected networks. If you select this option, you can configure which networks are allowed to access the data from the storage account. Select Selected networks. Then, you can select whether you want to add an existing virtual network or create a new one. For this demonstration, click on + Add new virtual network:
- A new blade will open, where you will have to specify the network configuration. Specify the configuration that's shown in the following screenshot:
- Click on Create.
- The virtual network will be added to the overview blade. This storage account is now secure and can be accessed only from applications and other resources that use this virtual network. In this same blade, you can also configure the firewall and only allow certain IP ranges from the internet or your on-premises environment:
This concludes this demonstration. In the next demonstration, we are going to generate and manage SAS.