Key Configuration Areas in Storage Account and Blob Service
- Network Configuration (Storage Firewall & Virtual Networks):
- Each Azure storage account has a built-in firewall that enables setting up rules for secure access.
- Configuration Options:
- Virtual Network Rules: Enable connections from specific virtual networks in Azure, allowing trusted workloads.
- IP Address Ranges: Allow or block access to the storage account based on specified IP ranges.
- Service Exceptions: Grant access to trusted Azure services, such as logging and monitoring services, without requiring firewall rules.
- Custom Domain Configuration:
- Azure provides a default endpoint format (
[storage_account_name].blob.core.windows.net), but you can use a custom domain for easier access, likecustomdomain/container/myblob. - Limitations:
- HTTPS Support: Azure storage doesn’t support HTTPS natively with custom domains, though you can use Azure CDN for secure HTTPS access.
- One Custom Domain: Only a single custom domain is allowed per storage account.
- Azure provides a default endpoint format (
- Content Delivery Network (CDN):
- Azure’s CDN optimizes content delivery by caching static content at CDN locations, which reduces latency for users globally.
- Example Workflow:
- If your blob storage is in Australia and most users are in India, setting up a CDN for Indian regions will cache the content closer to users. The first request retrieves data from the original blob location, caching it in the CDN; subsequent requests serve data directly from the local CDN cache, improving access speed.
- Other Configuration Options:
- Performance Tier: Once set during creation (e.g., Standard or Premium), it cannot be changed.
- Access Tier: Allows switching between “Hot” (frequent access) and “Cool” (infrequent access) based on storage needs.
- Replication Strategy: Changeable based on redundancy requirements, such as locally redundant storage (LRS), geo-redundant storage (GRS), etc.
- Azure Active Directory (AD) Authentication: Enables secure authentication for Azure Files.
- Secure Transfer Requirement: Ensures that data access only occurs over secure HTTPS connections (except when using custom domains without HTTPS support).
Configuring Custom Domains
Follow these steps to set up a custom domain for your storage account:
- Access Your Storage Account:
- Log in to Azure Portal and open your Resource Group and Storage Account.
- Firewall and Network Rules:
- Go to the Firewall and Virtual Networks section in your storage account settings.
- Define the virtual network rules or IP address ranges to restrict or allow access.
- For example, enable trusted Microsoft services to access logs or records by selecting the necessary checkboxes.
- Configure CDN Endpoint:
- In the storage account’s CDN configuration section, create a CDN profile and map the CDN endpoint to your storage account. This enables caching content closer to end-users, reducing latency.
- Set Up Custom Domain:
- Step 1: Open your Resource Group, select your Storage Account, and navigate to the Custom Domain tab.
- Step 2: Go to your domain provider’s website and access DNS settings. Here, create a CNAME record pointing your domain to the Azure Blob URL (e.g.,
akkiteststorage.blob.core.windows.net). - Step 3: In the Azure portal’s Custom Domain window, enter your subdomain (e.g.,
www.sample.com), then save the configuration. - Step 4: Test by opening the custom domain URL in a browser to access content stored in blob storage.
Important Notes:
- Secure Transfer Requirement:
- Ensure Secure Transfer Required is disabled when using a custom domain, as HTTPS is unsupported for Azure custom domains natively.
- If HTTPS is essential, Azure CDN provides an alternative to secure your custom domain.