DEV Community

Cover image for How to Secure Private Documents with Azure Blob Storage | Step-by-Step Azure Guide
forsyth famous
forsyth famous

Posted on

How to Secure Private Documents with Azure Blob Storage | Step-by-Step Azure Guide

#azure #microsoft #cloud #learning

Introduction

In my previous article, I walked through how to host a public website using Azure Blob Storage. While public access is useful for static websites and publicly available content, not every file stored in the cloud should be accessible to everyone.

In many real-world environments, organizations need a secure way to store internal documents, sensitive files, backups, and private company data while still maintaining scalability and availability in the cloud.

In this article, we will build on the same Azure environment from the previous lab by reusing the existing Resource Group and Storage Account setup. If you did not follow the previous article, you can access it here:

How to Host a Public Website Using Azure Blob Storage
forsyth_famous_ profile

How to Host a Public Website Using Azure Blob Storage

#cloud #microsoft #azure #microsoftcloud
3
Comments 1
7 min read

For this lab, we will configure private Azure Blob Storage, restrict anonymous access, generate secure Shared Access Signature (SAS) access, and implement lifecycle management and replication policies for better storage optimization and resiliency.

By the end of this guide, you will understand how to securely manage private documents in Azure Blob Storage using industry-standard cloud practices.

Scenario

A company requires secure cloud storage for internal office and departmental documents. Since the data contains private organizational information, it must not be publicly accessible without authorization.

The storage solution must also provide high availability in the event of a regional outage while supporting backup and replication for the company’s public website storage.

In this lab, we will configure Azure Blob Storage to meet these requirements using private containers, Shared Access Signatures (SAS), lifecycle management, and object replication.

Create a storage account and configure high availability.

  1. Create a storage account for the internal private company documents.

    • In the portal, search for and select Storage accounts. storage
    • Select + Create. create
    • Select the Resource group created in the previous lab. prev lab
    • Set the Storage account name to private. Add an identifier to the name to ensure the name is unique (i added eazi). privateeazi
    • Select Review, and then Create the storage account. Review
    • Click on create. create
    • Wait for the storage account to deploy, and then select Go to resource. resource

  2. This storage requires high availability if there’s a regional outage. Read access in the secondary region is not required. Configure the appropriate level of redundancy.

    • In the storage account, in the Data management section, select the Redundancy blade. Redundancy
    • Ensure Geo-redundant storage (GRS) is selected. geo
    • Refresh the page. refresh
    • Review the primary and secondary location information. location
    • Save your changes. save

Create a storage container, upload a file, and restrict access to the file.

  1. Create a private storage container for the corporate data.

    • In the storage account, in the Data storage section, select the Containers blade. containers
    • Select + Container. add container
    • Ensure the Name of the container is private. name
    • Ensure the Public access level is Private (no anonymous access). private
    • As you have time, review the Advanced settings, but take the defaults. advance
    • Select Create. click

  2. For testing, upload a file to the private container. he type of file doesn’t matter. A small image or text file is a good choice. Test to ensure the file isn’t publicly accessible.

    • Select the container. container
    • Select Upload. upload
    • Browse to files and select a file. browse
    • Upload the file. upload
    • Select the uploaded file. file
    • On the Overview tab, copy the URL. URL
    • Paste the URL into a new browser tab. Paste
    • Verify the file doesn’t display and you receive an error. error

  3. An external partner requires read and write access to the file for at least the next 24 hours. Configure and test a shared access signature (SAS).

    • Select your uploaded blob file and move to the Generate SAS tab. generate
    • In the Permissions drop-down, ensure the partner has only Read permissions. Read
    • Verify the Start and expiry date/time is for the next 24 hours. expiry
    • Select Generate SAS token and URL. token
    • Copy the Blob SAS URL to a new browser tab. copy browser
    • Verify you can access the file. If you have uploaded an image file it will display in the browser. Other file types will be downloaded. eazicam

Configure storage access tiers and content replication.

  1. To save on costs, after 30 days, move blobs from the hot tier to the cool tier.

    • Return to the storage account. back
    • In the Overview section, notice the Default access tier is set to Hot. hot
    • In the Data management section, select the Lifecycle management blade. lifecycle
    • Select Add rule. add rule
    • Set the Rule name to movetocool. rule name
    • Set the Rule scope to Apply rule to all blobs in the storage account. Apply
    • Select Next. Next
    • Ensure Last modified is selected. Lastn
    • Set More than (days ago) to 30. 30
    • In the Then drop-down select Move to cool storage. to storage
    • As you have time, review other lifecycle options in the drop-down. explore
    • Add the rule. add

  2. The public website files need to be backed up to another storage account.

    • In your storage account, create a new container called backup. Use the default values. Refer back to Lab 02a if you need detailed instructions. backup
    • Navigate to your publicwebsite storage account. This storage account was created in the previous exercise. public
      • In the Data management section, select the Object replication blade. object rep
      • Select Create replication rules. reprun
      • Set the Destination storage account to the private storage account. pri
      • Set the Source container to public and the Destination container to backup. desn
      • Create the replication rule. now
    • Optionally, as you have time, upload a file to the public container. Return to the private storage account and refresh the backup container. Within a few minutes your public website file will appear in the backup folder. back upolad view backup

Conclusion

Congratulations on completing the lab.

In this exercise, we explored how to secure internal company documents using Azure Blob Storage by implementing private access controls and secure sharing mechanisms. We also looked at additional storage management features such as lifecycle policies and object replication to improve both cost optimization and data resiliency.

Some key takeaways from this lab include:

  • Azure Blob Storage can securely store private organizational data.
  • Containers can be configured to block anonymous public access.
  • Shared Access Signatures (SAS) provide controlled and temporary access to files.
  • Lifecycle management helps automate storage tier optimization.
  • Object replication improves backup and disaster recovery capabilities.

This lab also demonstrates the importance of designing cloud storage solutions based on business requirements, balancing security, accessibility, scalability, and cost efficiency.

If you followed my previous article on hosting a public website using Azure Blob Storage, you have now seen both sides of Azure Storage, public access for web hosting and private access for secure internal storage.

See you in the next article.

Top comments (0)