Data Sources

Data sources available for use by the ICS community

Platforms

ICS supported platforms.

Teams

ICS Teams


Menu Button Menu Button

Resource Group: azure-billing-rg

Overview

The azure-billing-rg resource group is designed to centralize storage resources for efficient management and scalability within Azure. The primary purpose of this resource group is to create and manage a storage account named "wusmbilling" located in the Central US region. This storage account supports various storage services, including Blob, File, Queue, and Table services, facilitating the storage of unstructured and structured data as well as file sharing capabilities. The configurations implemented ensure that the storage account is secure, reliable, and optimized for performance.

Resources

1. Storage Account

  • Type: Microsoft.Storage/storageAccounts
  • Name: wusmbilling
  • API Version: 2023-05-01
  • Location: Central US
  • Properties:
    • Access Tier: Hot (indicating frequent access to data)
    • Allow Blob Public Access: True (this setting enables public access for Blob storage, which may require careful management)
    • TLS Version: Minimum of TLS1_0 (note: TLS 1.0 is considered less secure, and using a more recent version like TLS1.2 is recommended)
    • Encryption: Account-level encryption enabled for Blob and File services.
    • Network ACLs:
      • Bypass: Azure Services (allows access from Azure resources)
      • Default Action: Allow
      • IP Rules: Allows traffic from IP range 128.252.0.0/16.
    • Public Network Access: Enabled (this means that the storage account is accessible from the internet).
    • Supports HTTPS Traffic Only: True (reinforces secure access).
  • SKU: Standard_LRS (locally redundant storage).

2. Blob Service

  • Type: Microsoft.Storage/storageAccounts/blobServices
  • Name: wusmbilling/default
  • API Version: 2023-05-01
  • Depends On: wusmbilling
  • Properties:
    • Container deletion retention policy enabled for 7 days.
    • CORS rules: None defined (cross-origin resource sharing configurations).
    • Delete retention policy prohibits permanent delete for 7 days.

3. File Service

  • Type: Microsoft.Storage/storageAccounts/fileServices
  • Name: wusmbilling/default
  • API Version: 2023-05-01
  • Depends On: wusmbilling
  • Properties:
    • CORS rules: None defined.
    • Share deletion retention policy enabled for 7 days.
    • Protocol settings configured for SMB (Server Message Block) file sharing.

4. Queue Service

  • Type: Microsoft.Storage/storageAccounts/queueServices
  • Name: wusmbilling/default
  • API Version: 2023-05-01
  • Depends On: wusmbilling
  • Properties:
    • CORS rules: None defined.

5. Table Service

  • Type: Microsoft.Storage/storageAccounts/tableServices
  • Name: wusmbilling/default
  • API Version: 2023-05-01
  • Depends On: wusmbilling
  • Properties:
    • CORS rules: None defined.

Data Storage

Data is primarily stored within the wusmbilling storage account, which serves as the central repository for unstructured data through Blob storage, as well as structured data via Table storage. The storage account allows for file sharing through File services and messaging with Queue services. The retention policies configured for data deletion across these services ensure that data can be recovered within a specified period, thus preventing accidental data loss.

Networking

The storage account is configured with network access rules that allow communication with Azure services and specific public IPs (128.252.0.0/16). While the storage account allows public network access, careful consideration must be taken to secure it against unauthorized access, especially since Blob public access is enabled. There are no specific virtual network rules defined in this configuration, meaning additional layer protection through virtual networks is not used in this instance.

Security Overview

Several security considerations are important regarding this ARM template:

  • Public Access: The storage account allows public access to Blobs, which can lead to potential data exposure. It's crucial to monitor and manage public access to avoid unauthorized access to sensitive data.
  • TLS Version: The minimum TLS version is set to TLS1_0; upgrading this to TLS1.2 is recommended for better security given TLS 1.0 has known vulnerabilities.
  • Network ACLs: Although bypassing Azure Services is often necessary for functionality, it simplifies potential attack vectors. Limiting public access and enabling virtual network integration would enhance security.
  • Data Retention Policies: Retaining deleted items for 7 days helps mitigate accidental deletions, but stakeholders should evaluate if this period meets their data recovery and compliance needs.

Other Information

  • Cost Management: Using Standard_LRS helps keep costs in check, but choosing appropriate access tiers according to usage patterns (Hot vs. Cool) can further optimize expenses.
  • Scalability: The storage account is capable of scaling in accordance to demand, allowing businesses to effectively manage variable workloads.
  • CORS Configuration: Implementing CORS rules might be necessary in scenarios where storage needs to be accessed from different domains securely.

This detailed documentation on the ARM template provides insights into the architecture and security of resources within the Azure billing resource group, facilitating effective management and secure use of cloud resources.

Note: This document was generated using the Azure Assistants script and an LLM

Table of Contents

Updated on October 29, 2024