██FR█████ █INTELL███████████

Provide storage for a new company app.


This content originally appeared on DEV Community and was authored by UMEOHIA NNAMDI

As companies go digital, creating a new app is often a big step toward working faster, reaching more customers, or automating tasks. But for any app to work well, one of the most important things to get right is where and how the app’s data is stored. This includes things like user details, uploaded files, transactions, and media. A good storage system should be safe, easy to grow, and dependable.

Picking the right storage isn’t just a tech choice, it affects how well the app runs, how safe the data is, and how easy it is to manage over time. Whether your app is for staff use or customers around the world, you need a plan that can grow with your data, deliver quick access, and keep sensitive info protected.

Architecture Diagram

Architecture Diagram

In this article, we’ll look at how to set up strong storage for a new app.
These are the steps to follow:

Create the storage account and managed identity.

1.Provide a storage account for the web app. Steps:

A. Log in to the Azure portal.

Log in to the Azure portal

B. In the portal, search for and select Storage accounts.

search for and select Storage accounts.

C. Select + Create.

Select + Create

D. For Resource group select Create new. Give your resource group a name. Provide a Storage account name.

For Resource group select Create new. Give your resource group a name. Provide a Storage account name

E. Move to the Encryption tab. Check the box for Enable infrastructure encryption.

Move to the Encryption tab. Check the box for Enable infrastructure encryption

F. Select Review + Create. And then create.

Select Review + Create

create

G. Wait for the storage account to deploy, and then select Go to resource.

Deployment, go to resource

2.Provide a managed identity for the web app to use. Steps:

A. In the Azure portal, search for and select Managed identities.

search for and select Managed identities

B. Select Create.

+ create

C. Select your resource group. Give your managed identity a name. Select Review and create.

Select your resource group. Give your managed identity a name. Select Review and create

D. Select create.

create

3.Assign the correct permissions to the managed identity. The identity only needs to read and list containers and blobs. Steps:

A. Go to your storage account. Select the Access Control (IAM) blade. Select Add role assignment.

Go to your storage account. Select the Access Control (IAM) blade. Select Add role assignment

B. On the Job functions roles page, search for and select the Storage Blob Data Reader role. Click on it, and select Next.

On the Job functions roles page, search for and select the Storage Blob Data Reader role. Click on it, and select Next

C. On the Members page, select Managed identity. Select + select members, in the Managed identity drop-down select User-assigned managed identity. Select the managed identity you created in the previous step. Click Select.

On the Members page, select Managed identity. Select + select members, in the Managed identity drop-down select User-assigned managed identity. Select the managed identity you created in the previous step. Click Select

D. Select Review + assign. Select Review + assign a second time to add the role assignment.

Select Review + assign a second time to add the role assignment

Secure access to the storage account with a key vault and key.

1.To create the key vault and key needed for this part of the lab, your user account must have Key Vault Administrator permissions. Steps:

A. In the portal, search for and select Resource groups.

In the portal, search for and select Resource groups

B. Select your resource group.

Select your resource group

C. In the resource group, search for and select Access Control (IAM) blade. Select Add role assignment (this will show when you click the +Add).

In the resource group, search for and select Access Control (IAM) blade. Select Add role assignment (this will show when you click the +Add)

D. On the Job functions roles page, search for and select the Key Vault Administrator role. Select Next.

On the Job functions roles page, search for and select the Key Vault Administrator role. Select Next.

E. On the Members page, select User, group, or service principal. Select +Select members. Search for and select your user account. Click Select.

On the Members page, select User, group, or service principal. Select +Select members. Search for and select your user account. Click Select

F. Select review + assign. Select Review + assign a second time to add the role assignment.

Select Review + assign a second time to add the role assignment

2.Create a key vault to store the access keys. Steps:

A. In the portal, search for and select Key vaults.

In the portal, search for and select Key vaults

B. Select Create.

Select Create.

C. Select your resource group. Provide the name for the key vault.

Select your resource group. Provide the name for the key vault.

D. Ensure on the Access configuration tab that Azure role-based access control (recommended) is selected. Select Review + create.

Ensure on the Access configuration tab that Azure role-based access control (recommended) is selected. Select Review + create.

E. Wait for the validation checks to complete and then select Create.

create

F. select Go to resource.

select Go to resource

G. On the Overview blade ensure both Soft-delete and Purge protection are enabled.

On the Overview blade ensure both Soft-delete and Purge protection are enabled

3.Create a customer-managed key in the key vault. Steps:

A. In your key vault, in the Objects section, select the Keys blade. Select Generate/Import and Name the key. Select create to Create the key.

In your key vault, in the Objects section, select the Keys blade.

Select Generate/Import and Name the key. Select create to Create the key.

B. Notice key is successfully created.

Notice key is successfully created

Configure the storage account to use the customer managed key in the key vault.

1.Before you can complete the next steps, you must assign the Key Vault Crypto Service Encryption User role to the managed identity. Steps:

A. In the portal, search for and select Resource groups.

Resource group

B. Select your resource group.

Select your resource group

C. In your resource group search and select the Access Control (IAM) blade. Select Add role assignment.

In your resource group search and select the Access Control (IAM) blade. Select Add role assignment

D. On the Job functions roles page, search for and select the Key Vault Crypto Service Encryption User role. Click on it and select Next.

On the Job functions roles page, search for and select the Key Vault Crypto Service Encryption User role. Click on it and select Next

E. On the Members page, select Managed identity. Select Select members, in the Managed identity drop-down select User-assigned managed identity. Select your managed identity. Click Select.
On the Members page, select Managed identity. Select Select members, in the Managed identity drop-down select User-assigned managed identity. Select your managed identity. Click Select.

F. Select Review + assign. Select Review + assign a second time to add the role assignment.

Select Review + assign

2.Configure the storage account to use the customer managed key in your key vault. Steps:

A. Go to your the storage account. In the Security + networking section, select the Encryption blade. Select Customer-managed keys.

Go to your the storage account. In the Security + networking section, select the Encryption blade. Select Customer-managed keys

B. Select a key vault and key. Select your key vault and key. Select to confirm your choices. Ensure the Identity type is User-assigned. Select an identity. Select your managed identity then select Add. Select Save.

Select a key vault and key. Select your key vault and key. Select to confirm your choices. Ensure the Identity type is User-assigned. Select an identity. Select your managed identity then select Add. Select Save

Configure an time-based retention policy and an encryption scope.

1.The developers require a storage container where files can’t be modified, even by the administrator. Steps:

A. Go to your storage account. In the Data storage section, select the Containers blade. Select +Add container.

Go to your storage account. In the Data storage section, select the Containers blade. Select +Add container

B. Create a container called hold. Take the defaults. Click create.

create

C. Upload a file to the container.

Upload1

upload2

D. In the Settings section, select the Access policy blade. In the Immutable blob storage section, select + Add policy.

In the Settings section, select the Access policy blade. In the Immutable blob storage section, select + Add policy

E. For the Policy type, select time-based retention. Set the Retention period to 5 days. Click Save.
For the Policy type, select time-based retention. Set the Retention period to 5 daysBe sure to Save your changes.

F. Try to delete the file in the container. Verify you are notified failed to delete blobs due to policy.

Try to delete the file in the container. Verify you are notified failed to delete blobs due to policy

2.The developers require an encryption scope that enables infrastructure encryption. Steps:

A. Go to your storage account. In the Security + networking blade, select Encryption.

Go to your storage account. In the Security + networking blade, select Encryption.

B. In the Encryption scopes tab, select Add.

In the Encryption scopes tab, select Add

C. Give your encryption scope a name. The Encryption type is Microsoft-managed key. Set Infrastructure encryption to Enable. Select Create.

Give your encryption scope a name. The Encryption type is Microsoft-managed key. Set Infrastructure encryption to Enable. Select Create

D. Return to your storage account and create a new container.

Return to your storage account and create a new container.

E. Notice on the New container page, there is the Name and Public access level. Notice in the Advanced section you can select the Encryption scope you created and apply it to all blobs in the container, and then Create.

CREATE


This content originally appeared on DEV Community and was authored by UMEOHIA NNAMDI