Secure Way to Access an Azure Storage Account with IP-Based Firewall

Question

Hey everyone,

I’m currently working on accessing an Azure Storage Account that has a firewall enabled, allowing only specific IP addresses to connect. While this works, I’m concerned about the security implications, especially since some clients have dynamic IPs. How can I achieve access in a more secure way?, is SAS my best option?

Here’s my current setup:

• The Storage Account has a firewall configured to allow only specific IP addresses.
• A poweBI dashboard that is is outside the vnet and needs to access a blob container within the vnet.

Any advice, examples, or references to documentation would be greatly appreciated!

Thanks in advance!

Answer 1

Hello Ortega, Ivan

I understand that you want to establish a secure method for accessing an Azure Storage Account utilizing an IP-based firewall.

Yes, SAS tokens serve as an effective means of granting temporary access to your blob storage while safeguarding your account keys. You can generate a SAS token with specific permissions and an expiration time, allowing the Power BI dashboard to access the blob container without needing to modify the firewall settings.

• Grant only the necessary permissions (e.g., read, write) to minimize risk.
• If possible, restrict the SAS token to specific IP addresses, although this may be challenging with dynamic IPs.

If your Power BI dashboard is capable of integration within a Virtual Network (VNet), it is advisable to utilize Azure Private Link. This feature facilitates the establishment of a private endpoint for your Azure Storage Account, thereby ensuring secure access through the Azure backbone network while keeping it shielded from public internet exposure.

• Traffic between your VNet and the storage account remains private.
• The storage account is not accessible over the public internet.

Please be informed that using SAS tokens combined with Azure Private Link would provide a secure and flexible solution for accessing your Azure Storage Account from the Power BI dashboard. If moving the dashboard into the VNet is not feasible, consider using service endpoints or VPN solutions to maintain security while allowing necessary access. Regularly review and update your security configurations to adapt to changing requirements.

References:

https://learn.microsoft.com/en-us/azure/security/fundamentals/paas-applications-using-storage#use-a-shared-access-signature-instead-of-a-storage-account-key

Hope the above answer helps! Please let us know do you have any further queries.

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members. 

Answer 2

Hello,

Welcome to Microsoft Q&A,

You can use either Managed Identity or Private Endpoint,

Managed Identity:

• If your Power BI dashboard is running on an Azure resource (e.g., Azure Functions, Virtual Machines, Logic Apps, etc.), the best approach is to use Managed Identity.
• This avoids handling connection strings or IP whitelisting.
• https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview

Private Endpoint:

• Private endpoint allows secure access without exposing the Storage Account publicly.
• https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints

Please Upvote and Accept the answer if it helps!!