stackoom
  简体   繁体   中英

Azure Storage Firewall and Virtual Networks - how to prevent unauthorized access

 原文  2021-08-15 08:09:31       azure/ azure-blob-storage

Question

In Azure Storage there's a section called Firewalls and Virtual Networks. May I know if I can use it for the following usecase?

  1. I have a video uploaded to the blob, and I need only a set of selected users who has logged in to the application view my video.

  2. My WebAPI application is hosted as a Azure WebApp. Can I use the IP address where the WebApp is hosted to create a rule in the Firewalls and Virtual.network section below to only allow access to Storage if the user request the URL via the WebApp.(Let's say /viewVid/myvideo.mp4 )

  3. In case if the User copies the URL of the Video (by inspecting the HTML code), and paste it on the browser will the user be able to view the video as the request is not coming via the WebApp?

Note: Overall objective is to prevent a User from copying a URL (by inspecting the HTML code) and downloading or viewing the video.

在此处输入图像描述

2 answers

solution1
 0 ACCPTED  2021-08-15 17:29:33

Firewalls and VNet NSG's will are.network level restrictions so they will not give you the user-level restrictions you are looking for. You can use them to limit your surface area but to implement what you are asking for, you need to implement authentication.

Azure Blob Storage supports Shared Key, Shared Access Signatures (SAS), Azure Active Directory (AAD), Active Directory Directory Services (ADDS) and Anonymous public access. The most secure way is to implement AAD with user delegation. If you are not able to store the users for this application in AAD then you should look at SAS. SAS token can be time-bound and restricted to certain IP addresses.

Also, you should take a look at Azure Media Player. Microsoft Azure Media Services (AMS) is an extensible cloud-based platform that enables developers to build scalable media management and delivery applications. Media Services is based on REST APIs that enable you to securely upload, store, encode, and package video or audio content for both on-demand and live streaming delivery to various clients (for example, TV, PC, and mobile devices).

Links https://learn.microsoft.com/en-us/azure/storage/common/authorize-data-access https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview https://learn.microsoft.com/en-us/azure/media-services/previous/media-services-content-protection-overview

solution2
 0  2021-08-16 05:26:28

I belieave that you can use app service .net integration feature for your project to restricted.network access to storage account.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Prevent users with Azure AD accounts to access my storage How to access Azure SQL Data without setting IP Address in firewall setting? Just By Simply ConnectionString? Azure Synapse Web Activity 'GetFolderByServerRelativeUrl' Unauthorized Access Terraform set azure storage account virtual network How to disable firewall in Azure SQL database? How to validate Azure Blob Storage Shared Access Signature (SAS) URL? Azure Blob Storage file access Azure: How to provide limited Access Level to a Container in a Storage Account? How do I access Azure Storage container from Azure Cognitive services Azure database firewall issues
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM