If you’re an Azure user, then you know that Azure Storage is a critical service for storing your data. But what you may not know is that there’s a new security feature called the Azure Storage Firewall Service Tag that can help protect your data from unauthorized access.
In this blog post, we’ll explain what the Azure Storage Firewall Service Tag is and how to use it. Stay safe!
Azure Storage Firewall Service Tag
Azure Storage is a highly available and scalable storage service for your cloud. It provides 99.9% SLA, geo-redundancy, multiple storage tiers, and flexible storage options. Azure Storage supports multiple protocols, like REST, SAS, RFC 6014, HTTP, and SMB.
You can use the Azure Storage Firewall service tag to apply the firewall rules for the resources in your storage account. The Azure Storage Firewall service tag is used to assign a tag to a storage account. This is when using the Azure Resource Manager deployment model.
Moreover, the tag provides a way to group related resources. This is while enabling you to filter resources by their tag value when managing your storage account with PowerShell or the Azure portal.
Property Description Key
Property Description Key A is a unique identifier of a tag within an Azure subscription Scope A scope. It indicates who can see this tag value within an Azure subscription. Tags are either user-defined tags or system-defined tags User-defined tags are created and managed by users’ System-defined tags.
Application Security Groups vs. Azure Storage Firewall Service Tag
Azure Storage allows you to define an Application security group (ASG). This is in addition to defining the firewall rules at the storage account level. An ASG provides an additional layer of control above and beyond the control provided by individual container or blob-level firewall rules.
For example, if you have a storage account named Contoso123 that contains two containers. These are named WebApp1 and WebApp2 and you want to block access from all clients. But except for those originating from ASGs named App1ASG and App2ASG.
Then you might create individual container-level firewall rules for WebApp1 and WebApp2. Then, you would create two ASGs named App1ASG and App2ASG. Also, you would add the storage account named Contoso123 to each of the App1ASG and App2ASG ASGs.
Use Case for Azure Storage Firewall Service Tag
The following is a list of some common use cases for using storage security groups to control access to your storage resources. You need to apply different access control policies to different sets of resources in your storage account. For example, you may wish to allow one set of users to read data from a container, and another set of users to both read and write data to the same container.
In this case, you can create a set of user-defined tags, one for each group of users. Then apply a different set of firewall rules to each tag. In addition, you may wish to restrict access from specific IP addresses or subnets.
You can accomplish this by creating firewall rules at the container level. This can apply only to traffic originating from specific IP addresses or subnets. In this scenario, you might have one container that is accessible only from the IP ranges 10.0.0.0/8 and 192.168.0.0/16.
Then another that is accessible only from the IP ranges 202.54.1.* and 203.0.113.*, and a third that is accessible from all client IP addresses.