Deploying Storage Solutions For a New Company Application.
#cloudstorage#cloudnative#azure#devops
lotanna obianefo

lotanna obianefo @lotanna_obianefo

About: Hi, I'm Lotanna Obianefo. A cloud enthusiast with a background in cloud engineering and data analysis. I’m currently exploring the world of FinOps, where cloud strategy meets financial accountability

Location:
United Kingdom
Joined:
Mar 16, 2025

Deploying Storage Solutions For a New Company Application.

Publish Date: May 22
0 0

As companies expand their digital footprint, deploying effective storage solutions for new applications becomes a critical task. Providing robust, scalable, and secure storage is essential to ensure the success of a new company application, enabling seamless data management and accessibility. This will explore the process of deploying storage solutions, with a focus on leveraging cloud-based options like Azure, and offers practical steps to implement a reliable infrastructure.

Developers need to ensure the storage is only accessed using keys and managed identities. The developers would like to use role-based access control. To help with testing, protected immutable storage is needed.

Set up a storage account with a managed identity, secure it using a customer-managed key stored in Azure Key Vault, configure encryption and time-based retention policies, and enable key-based access control.

Create the storage account and managed identity

Provision a Storage Account for the Web App

In the Azure portal, search for and select Storage accounts.
Click + Create to start a new storage account deployment. Under Resource group, select Create new, enter a name for the resource group, and click OK to save.

Enter a unique name for the Storage account that complies with naming conventions. Navigate to the Encryption tab. Check the option to Enable infrastructure encryption.

This setting is permanent and cannot be modified after the storage account is created. Click Review + Create, then wait for the deployment to complete.

hgyuhfugs
uhgtdes
gfesws

Provide a managed identity for the web app to use.

In the portal, search for and select Managed identities. Click Create **to start a new managed identity. Choose your **Resource group. Enter a name for the Managed identity. Click Review + create, then select Create to deploy it.

jhrser
dsgartyy
kjrd5r

Assign the correct permissions to the managed identity.
The identity only needs to read and list containers and blobs.

Search for and select your storage account. Select the Access Control (IAM) blade. Select Add role assignment (center of the page).

On the Job functions roles page, search for and select the Storage Blob Data Reader role. On the Members page, select Managed identity. Select Select members, in the Managed identity drop-down select User-assigned managed identity.

Select the managed identity you created in the previous step.
Click Select and then Review + assign the role. Select Review + assign a second time to add the role assignment. Your storage account can now be accessed by a managed identity with the Storage Data Blob Reader permissions

hjdefttt
frdrtdftrf
fcfdffg
kuiugty
gfdeddr
ttrre4et

Secure access to the storage account with a key vault and key.

To create the key vault and key needed for this part of the exercise, your user account must have Key Vault Administrator permissions.

In the portal, search for and select Resource groups. Select your resource group, and then the Access Control (IAM) blade. Select Add role assignment (center of the page). On the Job functions roles page, search for and select the Key Vault Administrator role.

On the Members page, select User, group, or service principal. Select Select members. Search for and select your user account. Your user account is shown in the top right of the portal. Click Select and then Review + assign. Select Review + assign a second time to add the role assignment. You are now ready to continue with the exercise.

gfreey
ftrruft
gyrdret
Ihjuhyt
Isrewye

Create a key vault to store the access keys.

In the portal, search for and select Key vaults.
Select Create. Select your resource group. Provide the name for the key vault. The name must be unique.

Ensure on the Access configuration tab that Azure role-based access control (recommended) is selected.
Select Review + create. Wait for the validation checks to complete and then select Create.

gfdesedr
khhgffd
fdgfudr
hjggds

After the deployment, select Go to resource. On the Overview blade ensure both Soft-delete and Purge protection are enabled.

gvfdse
fdsde

Create a customer-managed key in the key vault.

In your key vault, in the Objects section, select the Keys blade. Select Generate/Import and Name the key. Take the defaults for the rest of the parameters, and Create the key.

erfyttu
yuedr
uftrtrry

Configure the storage account to use the customer managed key in the key vault.

Before you can complete the next steps, you must assign the Key Vault Crypto Service Encryption User role to the managed identity.

In the portal, search for and select Resource groups. Select your resource group, and then the Access Control (IAM) blade. Select Add role assignment (center of the page). On the Job functions roles page, search for and select the Key Vault Crypto Service Encryption User role.

On the Members page, select Managed identity. Select Select members, in the Managed identity drop-down select User-assigned managed identity. Select your managed identity. Click Select and then Review + assign. Select Review + assign a second time to add the role assignment.

kigtre4
poytr55
resytdtre
jgttrt
ytdrdsreds

Configure the storage account to use the customer managed key in your key vault.

Return to your the storage account. In the Security + networking section, select the Encryption blade. Select Customer-managed keys. Select a key vault and key. Select your key vault and key. Select to confirm your choices. Ensure the Identity type is User-assigned. Select an identity. Select your managed identity then select Add. Save your changes.

kiyttrtr
ugtrtr
iyy7y7yt7
iy7y7tr
If you receive an error that your identity does not have the correct permissions, wait a minute and try again.
Iuyrdytky

Configure an time-based retention policy and an encryption scope.

The developers require a storage container where files can’t be modified, even by the administrator.

Navigate to your storage account. In the Data storage section, select the Containers blade. Create a container called hold. Take the defaults. Be sure to Create the container. Upload a file to the container.

iugygyty
lhgytft
poiuyuy
Upload a file
tftrygk
drttt
In the Settings section, select the Access policy blade. In the Immutable blob storage section, select + Add policy. For the Policy type, select time-based retention. Set the Retention period to 5 days. Be sure to Save your changes.
oiure
iyrt5r5r
ljgf

Try to delete the file in the container. Verify you are notified failed to delete blobs due to policy.

poiiytu

The developers require an encryption scope that enables infrastructure encryption.

Navigate back to your storage account. In the Security + networking blade, select Encryption. In the Encryption scopes tab, select Add. Give your encryption scope a name.

The Encryption type is Microsoft-managed key. Set Infrastructure encryption to Enable. Create the encryption scope.

yuttre5t
JHFDSEDS
KJUGr
Return to your storage account and create a new container. Notice on the New container page, there is the Name and Public access level. Notice in the Advanced section you can select the Encryption scope you created and apply it to all blobs in the container.

kjhgdsed

Azure provides built-in RBAC roles to manage storage access, supports customer-managed keys for enhanced data protection, and offers immutable storage with time-based or legal hold policies to prevent data modification or deletion. Additionally, infrastructure encryption can be enabled at the account or encryption scope level to meet strict compliance requirements through double encryption

Comments 0 total

    Add comment