we have a blob container with anonymous access (open to internet) and an appservice talking to it.
What are our options of ensuring that only the appservice can talk to this storage endpoint? vnet integration is our last option.
Thanks -nen
CodePudding user response:
What are our options of ensuring that only the appservice can talk to this storage endpoint?
One option would be to make use of Azure Role Based Access Control (RBAC) Data roles.
For this, first you would assign a managed identity to your App Service and then assign that identity appropriate Azure Storage RBAC data roles.
You would also need to block access to the storage account via access keys or shared access signature so that only your App Service can connect to your storage account using Azure AD authorization.
You can read more about it here: https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal.