Securing access to Azure Blob Storage using Azure PrivateLink
TypeScriptAzure Blob Storage is a scalable cloud storage solution for unstructured data. To secure access to your Azure Blob Storage, you can set up Azure Private Link, which allows you to access Azure services privately from your virtual network. Azure Private Link creates a private endpoint in your virtual network and assigns it an IP address from your VNet address space. When you send traffic to the Azure service, that traffic travels over the Microsoft backbone network, bypassing the public internet.
To get started, you'll need to have permissions to create and manage Azure resources, including networking and storage resources. Also, ensure that you are logged into your Azure account via the Azure CLI and have selected a subscription where you want to create these resources.
The following Pulumi program will create an Azure Blob Storage account and container, and then configure a Private Endpoint to secure the connection using Azure Private Link. We will write this program in TypeScript.
Here's the high-level process that we will follow:
- Create an Azure Resource Group to contain all of our resources.
- Set up an Azure Storage Account for Blob Storage.
- Create a Blob Container inside the Storage Account.
- Provision a Virtual Network and a Subnet to host the Private Endpoint.
- Establish a Private Endpoint connected to our Blob Storage Account.
Now let's write the full Pulumi program:
import * as pulumi from "@pulumi/pulumi"; import * as azure_native from "@pulumi/azure-native"; // Create an Azure Resource Group const resourceGroup = new azure_native.resources.ResourceGroup("my-resource-group"); // Create an Azure Storage Account const storageAccount = new azure_native.storage.StorageAccount("mystorageaccount", { resourceGroupName: resourceGroup.name, kind: "StorageV2", sku: { name: "Standard_LRS", }, }); // Create a Blob Container in the Storage Account const blobContainer = new azure_native.storage.BlobContainer("myBlobContainer", { accountName: storageAccount.name, resourceGroupName: resourceGroup.name, publicAccess: "None", // Disallow public access }); // Create a Virtual Network const vnet = new azure_native.network.VirtualNetwork("myVnet", { resourceGroupName: resourceGroup.name, addressSpace: { addressPrefixes: ["10.0.0.0/16"], }, }); // Create a Subnet for the Private Endpoint const subnet = new azure_native.network.Subnet("mySubnet", { resourceGroupName: resourceGroup.name, virtualNetworkName: vnet.name, addressPrefix: "10.0.1.0/24", privateEndpointNetworkPolicies: "Disabled", }); // Create a Private Endpoint for the Blob Storage Account const privateEndpoint = new azure_native.network.PrivateEndpoint("myPrivateEndpoint", { resourceGroupName: resourceGroup.name, subnet: { id: subnet.id, }, privateLinkServiceConnections: [{ name: "storageConnection", privateLinkServiceId: storageAccount.id, groupIds: ["blob"], // "blob" is the group identifier for Azure Blob Storage }], }); // Export outputs - in this case, we are exporting the endpoint network interface id // to demonstrate stack exports; adjust your exports according to your needs export const privateEndpointNetworkInterfaceId = privateEndpoint.networkInterfaces.apply(ni => ni[0].id);
This program sets up an Azure Blob Storage account with a private container and links it to a virtual network via Azure Private Link. The resources are wrapped in a Resource Group for easy management. The storage account's
publicAccess
is set to"None"
to disallow any public access to the blobs. The subnet includes settings to disable network policies, allowing the Private Endpoint to connect properly. A Private Endpoint creates a secure connection between the virtual network and the Azure Storage Account, accessible via the VNet using the Microsoft backbone network.You will need to add this code to a
.ts
file and run it using the Pulumi CLI. Ensure your Pulumi stack is properly configured for the Azure environment. You can then apply this configuration with thepulumi up
command.Remember to securely manage your Pulumi Access Tokens and any sensitive data you might use in your Pulumi programs. Additionally, adjust the IP addresses used in the VNet and Subnet to fit your networking scheme if necessary.