About Me

My photo
I am an MCSE in Data Management and Analytics, specializing in MS SQL Server, and an MCP in Azure. With over 19+ years of experience in the IT industry, I bring expertise in data management, Azure Cloud, Data Center Migration, Infrastructure Architecture planning, as well as Virtualization and automation. I have a deep passion for driving innovation through infrastructure automation, particularly using Terraform for efficient provisioning. If you're looking for guidance on automating your infrastructure or have questions about Azure, SQL Server, or cloud migration, feel free to reach out. I often write to capture my own experiences and insights for future reference, but I hope that sharing these experiences through my blog will help others on their journey as well. Thank you for reading!

Create shared access signature (SAS) named SAS1 for Storage as exhibit below.

 You have an Azure subscription named Subscription1.

In Subscription1, you create an Azure file share named MyFileShare.

You create a shared access signature (SAS) named SAS1 as shown in the following exhibit.

Write a AZ CLI Code and print the SAS1 value 


Scripts
========
$MyResourceGroup="RG102"
$location="North Europe"
$storageaccountname= "storage16854"

#A virtual network named Paris-VNet that will contain two sub#nets named Subnet1 and Subnet2

# Create a resource group.
az group create --location $location --name $myResourceGroup

az storage account create -n $storageaccountname  -g $MyResourceGroup  --kind StorageV2 --https-only --access-tier Hot --sku Standard_LRS 


az storage share create --account-name $storageaccountname --name myfileshare02

$pkey = az storage account keys list -g $myResourceGroup  -n $storageaccountname   --query [0].value -o tsv


$sastoken = az storage account generate-sas --start '2018-09-01' --expiry '2018-09-14' --permissions rwl --resource-types sco --services f --https-only --account-name storage16852   --account-key $pkey --ip 193.77.134.10-193.77.134.50

$sastoken


No comments:

AZ CLI Create a Storage account based on below Exhibit

 

Introduction:

In cloud environments, securing access to resources such as storage accounts is a priority for organizations. One of the most effective ways to enhance security is by implementing Azure Private Endpoints. This feature ensures that traffic between your virtual network and Azure services travels securely over the Microsoft backbone network, avoiding exposure to the public internet.

In this blog post, we will dive into how to create a secure Azure Storage Account using Private Endpoints, walking through the commands provided and breaking down each step. By the end of this guide, you’ll not only understand the purpose of each command but also have a clear idea of how to deploy these resources securely using Azure CLI.

Table of Contents:

  1. Key Concepts in Azure Networking and Storage Security
    • Resource Groups and Storage Accounts
    • Virtual Networks (VNets) and Subnets
    • Private Endpoints and Private Link
  2. Step-by-Step Guide to Securing Azure Storage with Private Endpoints
    • Creating a Resource Group
    • Setting Up a Storage Account
    • Configuring a Virtual Network (VNet)
    • Implementing Private Endpoints
  3. Memory Techniques for Key Concepts
    • Mnemonics for Resource Creation
    • Story-based Learning for Private Endpoints
  4. Use Case: Enhancing Data Security in a Corporate Environment
  5. Conclusion

1. Key Concepts in Azure Networking and Storage Security

Before we dive into the practical steps, it’s important to understand the key components involved in securing an Azure Storage Account using Private Endpoints:

Resource Groups:

A resource group is a logical container that holds related Azure resources. It allows you to manage and organize resources in a structured way.

  • Command: az group create --location <region> --name <resource-group-name>

Storage Accounts:

An Azure Storage Account provides scalable and highly secure storage in the cloud. It’s where your data (like blobs, files, queues, and tables) is stored.

  • Command: az storage account create --name <storage-name> --resource-group <resource-group> --sku Standard_LRS

Virtual Networks (VNets) and Subnets:

VNets are your private network in Azure. Within VNets, subnets allow you to segment your network into smaller ranges of IP addresses, enhancing isolation and control.

  • Command: az network vnet create --resource-group <resource-group> --name <vnet-name> --address-prefix <vnet-address-range> --subnet-name <subnet-name> --subnet-prefix <subnet-address-range>

Private Endpoints:

Private Endpoints allow you to connect your virtual network to Azure services (e.g., Storage, SQL) via a private IP. Traffic between your resources and the Azure service stays on the Azure backbone network, improving security.

  • Command: az network private-endpoint create --name <private-endpoint-name> --resource-group <resource-group> --vnet-name <vnet-name> --subnet <subnet-name> --private-connection-resource-id <resource-id> --group-id <resource-type>

2. Step-by-Step Guide to Securing Azure Storage with Private Endpoints

Let’s break down each of the steps from the provided script to understand what’s happening.

Step 1: Create a Resource Group

Every Azure resource must belong to a resource group. Creating a resource group helps in managing related resources.

bash

az group create --location NorthEurope --name RG101

This command creates a new resource group named RG101 in the North Europe region.

Step 2: Create a Storage Account

Here, you’re creating a Storage Account that will store your data in the cloud.

bash

az storage account create -n storage16852 -g RG101 --kind StorageV2 --https-only --access-tier Hot --sku Standard_LRS
  • storage16852: The name of your storage account.
  • Standard_LRS: Locally-redundant storage for the storage account.
  • --https-only: Ensures secure communication with HTTPS.
  • --access-tier Hot: Optimizes for frequent access.

Step 3: Set Up a Virtual Network (VNet) and Subnet

You need to create a virtual network and a subnet to define the range of IP addresses that can communicate with your storage account.

bash

az network vnet create -g RG101 -n storagevnet --address-prefix 10.3.0.0/16 --subnet-name 'subnet3' --subnet-prefix 10.3.1.0/24
  • VNet Address Prefix (10.3.0.0/16): The range of IP addresses for your entire virtual network.
  • Subnet Address Prefix (10.3.1.0/24): A smaller segment within the VNet.

Step 4: Disable Private Endpoint Network Policies

To allow private endpoint creation within the subnet, you need to disable subnet-level network policies.

bash

az network vnet subnet update --name subnet3 --resource-group RG101 --vnet-name storagevnet --disable-private-endpoint-network-policies true

This allows the VNet’s subnet to accept private endpoints.

Step 5: Create a Private Endpoint for the Storage Account

Now, you create a private endpoint that links the storage account to the VNet via a private IP address.

bash

$storage_id=$(az storage account show -g RG101 -n storage16852 --query "id"  -o tsv)
az network private-endpoint create --name myPrivateEndpoint --resource-group RG101 --vnet-name storagevnet --subnet subnet3 --private-connection-resource-id $storage_id --group-id blob --connection-name myConnection

Here:

  • $storage_id: Captures the storage account’s resource ID.
  • private-connection-resource-id: The resource ID of the storage account.
  • --group-id blob: Specifies the type of service the endpoint connects to (Blob storage).

3. Memory Techniques for Key Concepts

Mnemonics for Resource Creation:

Use the mnemonic “RSVP” to remember the order of creation:

  • R for Resource Group: Create your logical container first.
  • S for Storage Account: Set up your secure storage.
  • V for Virtual Network: Define your network and subnet.
  • P for Private Endpoint: Create your secure connection to the storage.

Story-based Learning:

Imagine you're setting up a private storage vault in a secure building. First, you need to decide where (the Resource Group), then you need to buy a secure vault (the Storage Account). Next, you build walls and gates around the building (the VNet and Subnet), ensuring only authorized people (your Private Endpoint) can enter through the private access doors.

4. Use Case: Enhancing Data Security in a Corporate Environment

Scenario:

Your company needs to store sensitive financial documents in the cloud. It’s crucial that no public internet access is allowed to the storage account. Instead, the company wants to secure the storage by ensuring all traffic to it flows through its private network.

Solution:

By using Azure Private Endpoints, you can ensure that all communication between your storage account and your virtual machines stays within the Azure backbone network. This enhances data security and ensures that sensitive documents are not exposed to public networks.

Command Example:

bash

az network private-endpoint create \
  --name FinancialDataEndpoint \
  --resource-group CorporateDataGroup \
  --vnet-name CorporateVNet \
  --subnet FinanceSubnet \
  --private-connection-resource-id $(az storage account show -g CorporateDataGroup -n FinanceStorage --query "id" -o tsv) \
  --group-id blob \
  --connection-name FinanceStorageConnection

5. Conclusion

Securing a storage account using Private Endpoints in Azure ensures that sensitive data remains accessible only within your virtual network, significantly enhancing security. Using Azure CLI, you can automate and simplify the process of creating resource groups, storage accounts, VNets, and private endpoints.

By following this step-by-step guide, you can set up a secure environment to protect your data and avoid exposing it to public networks. With practical commands, Azure Portal instructions, and mnemonics, you now have the knowledge to confidently implement secure Azure Storage solutions in your projects.


No comments:

AZ CLI - Create multiple VNETS,SUBNETS,Network Peering and DNS Zone.

You plan to create the following networking resources in a resource group named HumongousRG.

Default Azure system routes that will be the only routes used to route traffic

A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2

A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet

A virtual network named AllOffices-VNet that will contain two subnets named Submit3 and Subnet4


You plan to enable peering between Paris-VNet and AllOffices-VNet. You will enable the Use remote gateways setting for the Paris-VNet peerings. 

You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.

$MyResourceGroup="HumongousRG"

$location="eastus"

#A virtual network named Paris-VNet that will contain two sub#nets named Subnet1 and Subnet2

# Create a resource group.

az group create --location $location --name $myResourceGroup

az network vnet create -g $MyResourceGroup -n Paris-VNet --address-prefix 10.0.0.0/16 --subnet-name Subnet1 --subnet-prefix 10.0.1.0/24

az network vnet subnet create -g $MyResourceGroup --vnet-name Paris-VNet -n MySubnet --address-prefixes 10.0.2.0/24 

#A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet

az network vnet create -g $MyResourceGroup -n ClientResources-VNet --address-prefix 10.1.0.0/16 --subnet-name ClientSubnet --subnet-prefix 10.1.1.0/24

#A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4

az network vnet create -g $MyResourceGroup -n AllOffices-VNet --address-prefix 10.2.0.0/16 --subnet-name 'subnet3' --subnet-prefix 10.2.1.0/24

az network vnet subnet create -g $MyResourceGroup --vnet-name 'AllOffices-VNet' -n Subnet4 --address-prefixes 10.2.2.0/24 

az network vnet peering create -g $MyResourceGroup -n Paris-VNetToAllOffices-VNet --vnet-name Paris-VNet --remote-vnet AllOffices-VNet  --allow-vnet-access --allow-forwarded-traffic

az network vnet peering create -g $MyResourceGroup -n AllOffices-VNetToParis-VNet --vnet-name AllOffices-VNet --remote-vnet Paris-VNet  --allow-vnet-access --allow-forwarded-traffic

You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network

===========================================================================


az network private-dns zone create -g $MyResourceGroup -n humongousinsurance.local

az network private-dns link vnet create --resource-group $MyResourceGroup --zone-name  "humongousinsurance.local" --name MyDNSLink --virtual-network ClientResources-VNet --registration-enabled true

No comments:

Manage storage account keys with Key Vault and the Azure CLI

$myResourceGroup="rg-fhpl-use-qa"

$location="eastus"

$storagename = "stousefhplqa"

$container = "mybackupcontainer"

$ADE_KV_NAME = "keyvault-common-fhpl-qa"

$nameofsecret = "secnamefhplqa"

$upnname = "XXXXX.onmicrosoft.com" # put your valid upn name here

$subsid = "9239f519-XXXX-4e92-XXXX-c84d53XX3714"

# Create a resource group.

az group create --location $location --name $myResourceGroup

# Create a Storage Account

az storage account create --name $storagename --resource-group $myResourceGroup --location $location --sku Standard_LRS --kind=StorageV2

# Create a storage container

az storage container create --account-name $storagename --name $container

az keyvault create --name $ADE_KV_NAME --resource-group $myResourceGroup --location $location --sku premium 

echo "- Key vault: $ADE_KV_NAME"

#

az role assignment create --role "Storage Account Key Operator Service Role" --assignee 'https://vault.azure.net' --scope "/subscriptions/$subsid/resourceGroups/$myResourceGroup/providers/Microsoft.Storage/storageAccounts/$storagename"

az keyvault set-policy --name $ADE_KV_NAME  --upn $upnname  --storage-permissions get list delete set update regeneratekey getsas listsas deletesas setsas recover backup restore purge

# Give your user principal access to all storage account permissions, on your Key Vault instance

az keyvault storage add --vault-name $ADE_KV_NAME -n $storagename  --active-key-name key1 --auto-regenerate-key --regeneration-period P1D --resource-id "/subscriptions/$subsid/resourceGroups/$myResourceGroup/providers/Microsoft.Storage/storageAccounts/$storagename" 

$pkey = az storage account keys list -g $myResourceGroup  -n $storagename   --query [0].value -o tsv

$sastoken = az storage account generate-sas --expiry '2022-12-31' --permissions cdlruwap  --resource-types sco --services bfqt --https-only --account-name $storagename   --account-key (az storage account keys list -g $myResourceGroup  -n $storagename   --query [0].value -o tsv)

$sastoken

az keyvault storage sas-definition create --vault-name $ADE_KV_NAME  --account-name $storagename -n $nameofsecret --validity-period P1D --sas-type account --template-uri $sastoken

az keyvault storage sas-definition show --id "https://$ADE_KV_NAME.vault.azure.net/storage/$storagename/sas/$nameofsecret" 

az keyvault secret show --id "https://$ADE_KV_NAME.vault.azure.net/secrets/$storagename-$nameofsecret" 


1 comment:
Labels:
Subscribe to: Posts (Atom)