0

I have data stored in Azure Table Storage and want to secure it such that only my API (a function app) can read and write data.

What is best practice and how can I do this? I thought setting --default-action on the network rules to Deny for the Storage, plus adding a --bypass Logging Metrics AzureServices would shut down access but enable my Azure services, but this did not work.

I then looked at creating a Managed Service Identity (MSI) for the function app and adding RBAC to the Storage Account, but this did not work either. It doesn't look like MSIs are supported for Table Storage Access Azure Table Storage with Azure MSI

Am I missing or misunderstanding something? How do I secure the data in the tables in the Storage account, and is this even possible?

Magic Bullet Dave
  • 9,006
  • 10
  • 51
  • 81

2 Answers2

0

As the link you provided, azure table storage does not support Azure MSI, and it only support Shared Key (storage account key) and Shared access signature (SAS).

enter image description here

You must use Shared Key authorization to authorize a request made against the Table service if your service is using the REST API to make the request.

To encode the signature string for a request against the Table service made using the REST API, use the following format:

StringToSign = VERB + "\n" +
               Content-MD5 + "\n" +
               Content-Type + "\n" +  
               Date + "\n" +  
               CanonicalizedResource;

You can use Shared Key Lite authorization to authorize a request made against any version of the Table service.

StringToSign = Date + "\n"
               CanonicalizedResource

For more details, you could refer to this article.

Joey Cai
  • 18,968
  • 1
  • 20
  • 30
  • Thanks @Joey, and how do you secure the resources in Azure? Would you put them in a VNet and limit traffic to only resources in the VNet? – Magic Bullet Dave Jun 22 '20 at 06:21
  • You can add azure function's outbound ip into storage `Firewalls and virtual networks `. Then your table storage will only be accessed by you azure function. – Joey Cai Jun 22 '20 at 06:30
0

For securing Azure Table Storage data you do below network configurations -

  1. Use selected network instead of public network. This configuration is available under "Firewalls and virtual networks" of storage account.
  2. Second step which you can do is to either move the data to Azure Key Vault or use an encryption key stored in Azure Key Vault to encrypt required fields of Azure Table Storage. This way you won't face Azure Key Vault's throttling limits - https://learn.microsoft.com/en-us/azure/key-vault/general/service-limits#secrets-managed-storage-account-keys-and-vault-transactions
user11647698
  • 13
  • 4