Accessing Azure Storage
Every object stored in Azure Storage has a unique URL. The storage account name forms the subdomain of the URL, and the service-specific domain forms the endpoint.
Default Service Endpoints
If your storage account is named mystorageaccount, the default endpoints are:
- Blob (Container) service
http://mystorageaccount.blob.core.windows.net - Table service
http://mystorageaccount.table.core.windows.net - Queue service
http://mystorageaccount.queue.core.windows.net - File service
http://mystorageaccount.file.core.windows.net
Accessing Objects
To access an object, append its path to the service endpoint.
Example:
http://mystorageaccount.blob.core.windows.net/mycontainer/myblob
Configuring a Custom Domain for Azure Blob Storage
By default, Azure Blob Storage uses the endpoint:
<storage-account-name>.blob.core.windows.net
You can map a custom domain (for example, www.contoso.com) to your blob or static website endpoint so users can access blob data using a friendly URL.
⚠️ Azure Storage does not natively support HTTPS with custom domains. To use HTTPS, integrate Azure CDN with your storage account.
Custom Domain Configuration Options
1. Direct CNAME Mapping
Map a custom subdomain directly to the blob endpoint.
Example DNS record:
| CNAME Record | Target |
|---|---|
| blobs.contoso.com | contosoblobs.blob.core.windows.net |
This approach is simple but may cause brief downtime if the domain is already in use.
2. Intermediary Mapping (asverify)
To avoid downtime, use an asverify subdomain to validate ownership before switching traffic.
Example DNS records:
| CNAME Record | Target |
|---|---|
| asverify.blobs.contoso.com | asverify.contosoblobs.blob.core.windows.net |
| blobs.contoso.com | contosoblobs.blob.core.windows.net |
This method allows Azure to validate the domain without interrupting live traffic.
✔️ A Blob storage account exposes only the Blob service endpoint, and custom domains can be configured specifically for blob access.
Securing Azure Storage Endpoints
Azure Storage provides network-level security through Firewalls and Virtual Networks.
Firewall and Virtual Network Controls
- Restrict access to specific virtual networks and subnets
- Allow access from selected public IP address ranges
- Virtual networks and subnets must be in the same region or region pair as the storage account
✔️ Always test access restrictions to ensure the endpoint behaves as expected.
Demonstration: Securing a Storage Endpoint
Step 1: Create a Storage Account (Azure Portal)
- Go to All services → Storage Accounts → Add
- Select a subscription
- Create a new resource group
- Enter a unique storage account name (3–24 lowercase letters and numbers)
- Select a location
- Use the default settings:
- Deployment model: Resource Manager
- Performance: Standard
- Account kind: StorageV2
- Replication: LRS
- Access tier: Hot
- Select Review + Create, then Create
Step 2: Upload a File
- Create a file share in the storage account
- Upload a file
- Generate a Shared Access Signature (SAS) and connection string
- Use Azure Storage Explorer to access the file share
- Verify the uploaded file is accessible
ℹ️ This demonstration requires an existing virtual network with a subnet.
Step 3: Create a Subnet Service Endpoint
- Open your Virtual Network
- Select a subnet
- Under Service Endpoints, enable:
Microsoft.Storage
- Save the changes
Step 4: Secure the Storage Account
- Return to the storage account
- Open Firewalls and virtual networks
- Select Selected networks
- Add the virtual network and subnet
- Save the configuration
Step 5: Test the Storage Endpoint
- Open Azure Storage Explorer
- Refresh the storage account
- Access should now be denied unless traffic originates from the allowed subnet
Optional: Create a Storage Account with PowerShell
Get-AzLocation | Select Location
$location = "westus"
$resourceGroup = "storage-demo-resource-group"
New-AzResourceGroup -Name $resourceGroup -Location $location
New-AzStorageAccount -ResourceGroupName $resourceGroup -Name "storagedemo" -Location $location -SkuName Standard_LRS -Kind StorageV2
Optional: Create a Storage Account with Azure CLI
az group create --name storage-resource-group --location westus
az account list-locations --query "[].{Region:name}" --out table
az storage account create \
--name storagedemo \
--resource-group storage-resource-group \
--location westus \
--sku Standard_LRS \
--kind StorageV2
⚠️ If you plan to reuse the storage account for other scenarios, remember to reset network access to All networks in the Firewalls and virtual networks settings.
