KubeQuest

Scott: We've been creating a storage account here

in the Azure portal.

I'm gonna leave the one that we've created in the East US,

and I'm gonna choose locally redundant storage,

and I'm gonna hit next, which will take us

to the advanced tab.

As the name implies,

the advanced tab contains a lot of security, access,

and other settings.

Under security, the first setting says,

"Require secure transfer for REST API operations."

This basically means that you cannot interact

with a storage account using unsecured,

unencrypted, so HTTPS is the only method

for interacting with this over the API.

This here is enabled by default,

and you probably should keep it

unless you have a good reason

for not needing secure transfer.

Second option is enabling anonymous access.

Now, this is a big security risk.

It's happened dozens of times in the past,

where someone is looking around,

and they find an open anonymous storage account

or storage bucket for AWS, so it is off by default,

and unless you're gonna use the storage account

for web files, like images and MP4 files and JavaScripts,

unless you're intending anonymous users

to be able to access them, I would leave it off.

There are two methods of authorization and authentication

to get access to the storage account.

One is what's called storage account key,

and that is on by default.

We're gonna see in a coming up video

about managing your keys.

Basically, the key means if you have the key,

which is a series of letters and numbers that is very long

and impossible to guess,

then you can get access to the storage account,

the contents of it.

So it's what's called claims-based authentication.

Or do you want to use Microsoft Entra,

which is role-based access control that is handled by Entra?

Storage account key is on by default,

because if you're going to be using applications

and legacy applications,

this is what's traditionally been supported.

In order to use Entra, you have your applications register

with Entra, and there's special methods

that they're gonna need to get authorization.

Obviously, TLS 1.2 is the minimum.

I believe it's been shown that 1.0 and 1.1 are,

at this point, insecure,

so leaving it at 1.2 is perfectly fine.

We'll skip over the preview feature.

Now, I mentioned in the last video

that Data Lake Storage Gen2

is a different type of namespace.

It's an actual hierarchical namespace

where you can have files and folders.

In a default storage account with blobs and containers,

it's a container model, and basically,

everything goes into the container.

Data Lake Storage Gen2 is more of a files and folders model

specifically for big data analytics,

and it has different limits

in terms of the amount of data you can store,

and it has different access control policies,

so we're not going to talk about that much in this course.

This is where you would set it up if you want.

You would have to be using Data Lake Storage Gen2

in order to set up SFTP or NFS.

For blob storage,

we have, the most important thing here is the access tier.

Now, access tier is an important concept

and is a requirement for the exam, and so what we'll do,

we'll come back in the next video,

and we'll talk specifically about hot, cool, cold,

and archive.

John Savil

Labs

Labs

Users And Groups

Rbac

Conditional Access

Managed Identities

B2b Guests

Sspr

Pim

Federating Keyclock

Extras

Scott Duffy

Transcripts