An Azure storage account provides a unique namespace to store and access your Azure storage data objects. Every object that you store in Azure Storage has an address that includes your unique account name. The combination of the account name and the Azure Storage blob endpoint forms the base address for the objects in your storage account. All objects in a storage account are billed together as a group.
By default, the data in your account is available only to the account owner. If you do not have an existing storage account in your subscription, follow the steps outlined in this procedure:
- Click Storage Accounts from the menu of services to access the Storage Accounts blade
- Click Add (+) to create a new storage account. The Create Storage Account blade appears .
- provide the following information for the new storage account.
Parameter
|
Description
|
Subscription
|
Select the subscription you want to create this storage account in.
|
Resource Group
|
Select the resource group to store the storage account in.
|
Storage account name
|
Enter a unique name for your new storage account. A storage account name can contain only lowercase letters and numbers and must be between 3 and 24 characters.
|
Performance
|
Standard
|
Account Kind
|
StorageV2 (General Purpose v2)
|
Replication
|
RA-GRS.
|
Access Tier
|
Hot
|
4. Click Review + Create.
5. Once Validation has passed, click on Create. After a short moment, your storage account should have been created in your resource group.
Additional Required Settings
- Ensure that 'Secure transfer required' is set to 'Enabled'
- For each Storage Account go to configuration and ensure that secure transfer required is set to enabled.
- Ensure Storage logging is enabled for Queue service for read, write, and delete requests
- For each storage account use the Use the Diagnostics logs (classic) blade from Monitoring (classic) section.
- Set the Status to On, if set to Off.
- Select Queue properties.
- Select Read, Write and Delete options under the Logging section to enable Storage Logging for Queue service.
- Ensure that shared access signature tokens are allowed only over https
- For each storage account go to Shared Access Signature and set Allowed Protocols to HTTPS only.
- Ensure that 'Public access level' is set to Private for blob containers
- For each storage account go to containers under Blob Service.
- For each Container click on Access policy and set the Public Access Lever to Private (No Anonymous Access).
- Ensure default network access rule for Storage Accounts is set to deny.
- For each storage account, click on Firewalls and Virtual Networks under Settings.
- Ensure the you have elected to allow access from Selected Networks
- Add rules to “allow traffic” from “specific network”
- Ensure 'Trusted Microsoft Services' is enabled for Storage Account access.
- For each storage account click on Firewalls and Virtual Networks.
- Ensure that you’ve elect to allow access from “selected networks”.
- Enable Check Box for Allow Trusted Microsoft Services to access this storage account.