Instructor: All right, let's click next.
So on this tab we're talking about networking.
Now it might alarm you to say that by default,
storage accounts have public internet access.
That is that anyone anywhere in the world
can access the storage account if they know the public URL
and they have the access key
if you're using access key authentication.
So, the analogy that I use is that it's like having
a locked door on a busy street.
So, let's imagine you are a business,
you have a door that has a lock,
nobody is going to be able to get in unless they have a key.
Also, we can say that you can't break in,
there's no way to hack into Azure,
at least as far as we know.
So if you don't have the key,
you're not getting access to the files.
That is public access from all networks.
Now, let's say that still gives you uneasiness,
and so you want to restrict access from the public internet
and you only want access from selected networks.
So if you select the second option,
then you're going to be able to choose a virtual network.
So in this case, I'm choosing vm1-vnet
and choosing a specific subnet
and only computers that are connected to that vnet,
to that subnet can access the storage account.
So it is more private,
so any computer attached to this subnet
can access your storage account with the access key,
but not the public internet.
Now, maybe you do have certain public internet addresses
that you do want to have access
so I can add a public internet access address
to have access.
So this is, again, selected networks, very specific
either address or a range of addresses.
Finally, you have the option to disable public
and private access.
So there's a thing within Azure called private endpoint,
and you can set up, basically a proxy connection
from this storage account to another resource
inside of Azure and those are called private links.
So this is the most secure way
where you are specifically allowing
one resource to talk to this storage account.
This is for, again, virtual networks
and public IP addresses that you've manually added
or the public internet.
So that is your role of adding security
in terms of networking.
Also on the screen is a concept of network routing.
Now, typically you would not have to touch this.
Microsoft network routing is the default.
What does this mean?
So let's imagine that you have a resource
inside the United States
and you have a server in your office in Japan,
and that server in your office in Japan
needs to access a file from within the storage account
inside the United States.
With Microsoft network routing,
the Japanese computer is going to connect
to the Microsoft network in Japan,
and then it's gonna travel over a private network,
the Microsoft Global network from Japan to United States
to talk to your storage account.
With internet routing, this means that
from Japan, it's gonna travel over the public internet
encrypted of course,
and then enter the Azure network inside the United States.
So, that's why Microsoft networking is the default.
There's not really a great reason to choose internet routing
unless, well, unless you want to, obviously.
So, that is the networking screen.
I'm gonna leave the selected virtual networks option open
with my own IP address,
and that way I can test this from my home
but it's not open to the public internet
even if you have the key.