Allow account credential validation for Storage Account over Express Route
In our environment, we have an Express Route which is configured for both Microsoft Peering and Private Peering. We have a virtual estate consisting of a number of VNETS containing replica networks, primarily used for testing, attached to the Azure Storage area account.
We raised a call with MS that has resulted in this thread. To call the Storage Area account it appears that we must:
a) Authenticate our user account over the internet
then b) gain access to our storage account and
c) only then can we upload data over the express route into our storage area.
We would like to "ring fence" our entire Azure estate so that it is accessible entirely via our express route connection. This includes the authentication piece, which we would like done over our express route, negating the need for any additional internet link.
Currently, we've been told by MS that the API that deals with the authentication is only accessible over the internet, which for express route users seems counterproductive.
Hubert Mocko commented
To add to idea mentioned in main thread. The call to storage area is through PowerShell AZ module. This module requires authentication through credentials and doesn't have an option to access storage area by access key only.
Additionally we have disabled context autosave and data collection which means each session needs to have credentials provided.
Unfortunately authentication in AZ module can take place only through public internet, which like Andrew Williams has stated above, is counterproductive and seen as security risk. It also doesn't make sense, sinse there is already an express route in place.
The work around I found is to resign from using PowerShell and create console app in .NET framework which support package Microsoft.Azure.Storage. However, we would like to stay with PowerShell.
We are particularly interested in sending our backup files to blob storage. We know we can backup directly to azure storage, however SQL 2012 doesn't provide option of encryption for backup. Due to nature of data we cannot send files unencrypted and upgrade to higher versions is not an option due to costs.
Has anyone encountered similar problem?