Skip to main content

Service Endpoints

We will create a storage account and try to enable service endpoints in it. Such that the storage account can be accessed only inside the specified network. So we create a VNET and restrict access to components inside the VNET.  

1. We create a storage account and create a container and upload an image to the blob container.

 2. Next we create a VNET and add 2 subnets. 

3. We then enable networking on the storage account by traffic only from the first subnet. 

This will enable service endpoints in the subnet
Note that the second subnet doesnt have a service endpoint configured. So access is specific to a VNET and a subnet inside it (not to all subnets in it).
4. Then we try to view the uploaded blob in the browser (wont work). 
5. Then we create a VM and then add it to the subnet that has access to the storage account..
 6. Inside the VM if we try to access the same blob we find that we are able to view the image.
7. The same storage account cannot be accessed from the azure portal as well if the IP has not been added in the firewall configuration. 

To view the storage account content add the IP from the networking tab for the storage account



Comments

Post a Comment

Popular posts from this blog

App Role assignment to service principal --

 Using Ms Graph Rest API's Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see  Permissions . Permission type Permissions (from least to most privileged) Delegated (work or school account) AppRoleAssignment.ReadWrite.All and Application.Read.All, AppRoleAssignment.ReadWrite.All and Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All Delegated (personal Microsoft account) Not supported. Application AppRoleAssignment.ReadWrite.All and Application.Read.All, AppRoleAssignment.ReadWrite.All and Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All Create 2 app registrations. App role owner will contain the app role that will be assigned to a service principal. The  reader role in approleowner will be added to the approlesubscriber Setup postman to use the Oauth auth flow to get a token for MS Graph. ClientId:   Application (client) ID for approlesubscrib...
Post a Comment
Read more

ASp.net core 3.1 identity

It is just an extension to cookie authentication. We get a UI, Tables, helper classes, two factor authentication etc. Even EF and its database constructs. So instead of writing code for all of this we can just use these in built features. Extending Default Identity Classes Add a class that inherits from    public class AppUser : IdentityUser     {         public string Behavior { get; set; }     } Also change the user type in login partial.cs under shared folder Then add migrations and update db using migrations. We can customize further.  services.AddDefaultIdentity<AppUser>(options =>              {                 options.SignIn.RequireConfirmedAccount = true;                 options.Password.RequireDigit = false;           ...
2 comments
Read more

Get user groups

 string[] scopes = new string[] { "https://graph.microsoft.com/.default" };             string clientId = "";             string tenantId = "";             string secret = "";                        var options = new TokenCredentialOptions             {                 AuthorityHost = AzureAuthorityHosts.AzurePublicCloud             };             // https://learn.microsoft.com/dotnet/api/azure.identity.clientsecretcredential             try             {                 var clientSecretCredential = new ClientSecretCredential(                        ...
Post a Comment
Read more