Is my web app & table storage sufficiently secured from public facing internet?

Question

Intro:

I have an asp.net core app service hosted in Azure. This app service has an API controller that reads/writes to an Azure Table Storage. The code for this is using Azure.Data.Table library w/ an Access Key that i setup from the Azure portal (for the table storage).

Now, under the storage account / Networking blade, I have selected the "Enabled from All Networks".

Question:

Does this mean this storage account is open to the entire internet? I am confused whether this is secured because my code is accessing it via the Access Key (which I mentioned above).

Thank you.

Answer 1

Regarding the settings above, Enabled from all networks means the storage account endpoints (i.e. blob, table, queue, etc.) will accept traffic from the internet but you still need access key to view any data.

Enabled from selected virtual networks and IP address means that traffic will only be allowed from resources on the same VNET or specific IP address that you've configured e.g. your local device public IP provided by your ISP. This is a more secured method because you essentially whitelisting your what can connect.

Disabled means nothing outside of Azure can access the storage account and you will connect via Private Endpoint.

If your access key is inside your code, then this isn't the best secured method. You would want to have your connection with access key in either Application Settings so it can be retrieved as an environment variable or through Azure Key Vault. Using Key Vault allows you dictate what service or user can retrieve that value.

Answer 2

I will suggest assigning the system assigned managed identity to the app Service. Then use the resource instance rules for storage setting to configure the firewall https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-azure-resource-instances