Questions[azure-storage](server)

Azure Storage Accounts can have their access restricted by IP address or an Azure virtual network (with a Microsoft.Storage service endpoint). When this is done, the storage resource will only accept connections from those designated origins. This covers data operations (read, write, etc.) and control operations (create new container, etc.); I'm calling these the "data" and "management" planes, respectively.

Is it possible to isolate these at a networking level (e.g., with a firewall), or can it only be done at a role level? For example, could I have a VM on the same network that can only do control operations, regardless of the roles of the principal?

I have limited knowledge of PowerShell but I'd like to calculate the total size (in GB) of each storage account, or each container in my storage accounts. I have multiple storage accounts and containers in multiple resource groups.

I'm having a hard time putting together a script that pulls all storage accounts and containers since I have more than one resource group. I found the script below that works fine but it requires entering the name of single storage account and resource group.

Ideally, I want to be able to select all storage accounts in my subscription and not be forced to enter individual storage account name and resource groups. I'd appreciate any help/suggestions with this, thanks!

# Connect to Azure
Connect-AzureRmAccount

# Static Values for Resource Group and Storage Account Names
$resourceGroup = "RGP-01"
$storageAccountName = "storagestg3"

# Get a reference to the storage account and the context
$storageAccount = Get-AzureRmStorageAccount `
-ResourceGroupName $resourceGroup `
-Name $storageAccountName
$ctx = $storageAccount.Context

# Get All Blob Containers
$AllContainers = Get-AzureStorageContainer -Context $ctx
$AllContainersCount = $AllContainers.Count
Write-Host "We found '$($AllContainersCount)' containers. Processing size for each one"

# Zero counters
$TotalLength = 0
$TotalContainers = 0

# Loop to go over each container and calculate size
Foreach ($Container in $AllContainers){
$TotalContainers = $TotalContainers + 1
Write-Host "Processing Container '$($TotalContainers)'/'$($AllContainersCount)'"
$listOfBLobs = Get-AzureStorageBlob -Container $Container.Name -Context $ctx

# zero out our total
$length = 0

# this loops through the list of blobs and retrieves the length for each blob and adds it to the total
$listOfBlobs | ForEach-Object {$length = $length + $_.Length}
$TotalLength = $TotalLength + $length
}
# end container loop

#Convert length to GB
$TotalLengthGB = $TotalLength /1024 /1024 /1024

# Result output
Write-Host "Total Length = " $TotallengthGB "GB"

I am getting an error 520 on my images from sub-sites that domain mapped in wordpress. I am running azure file share with an azure vm that I plan to expand to more vm's. The File share is mounted to the wp-content blogs.dir folder. If I move the images off the file share to the server everything works fine, but if I remount the file share then the images and content stored on the file share is inaccessible to the sub-sites, they are blocked from loading. This leads me to believe its a cross domain issue with Azure File Share, or an issue with the file share handling the mod rewrite, but that is all I have so far. I can't figure out how to resolve.

My goal is to setup a scalable server hosting wordpress that I can connect other servers to for load balancing. So the file share would grant site content no matter the server the user connects to.

The main domain works fine (originaldomain.com) as well the original wordpress domains unmapped (i.e. networkname.originaldomain.com/subsite/), if I access the subsites through their original domains the images load and there are no errors. This only happens with a mapped domain (newdomain.com) and when the blogs.dir (running a multi-network) is mounted to the fileshare.

Please help

We have an SMB share set up in Azure.

Our infrastructure has an on-prem AD which synchronises with Azure AD and then there is an AADDS domain within Azure which has a copy of the user accounts.

If I log onto a computer within the AADDS domain as a user who has IAM read write access to the SMB share then it can be opened. If I try to access from a computer in the on-prem domain as that same user then it gives access denied. I can be logged onto my computer from the on-prem domain and access it as myself so I was assuming it would work for others, but this doesn't seem to be the case.

On the AADDS domain I ran the script like the one below in order to create an account in the Active Directory. I suspect it could be because the account doesn't exist on-prem? The thing is, how would I go about getting both domains to be able to access the SMB share without affecting what is already in place on AADDS?

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

Import-Module -Name AzFilesHybrid

Connect-AzAccount

$subscriptionId = "<SUBID>"
$resourceGroupName = "<RESOURCEGROUP>"
$storageAccountName = "<STORAGEACCT>"

Select-AzSubscription $subscriptionId

Join-AzStorageAccountForAuth -ResourceGroupName $resourceGroupName -StorageAccountName $storageAccountName -DomainAccountType ServiceLogonAccount -OrganizationalUnitDistinguishedName "<OU_DN>" -OverwriteExistingADObject

BACKGROUND:

After more testing, it seems that there isn't a way to have authentication to work on two domains simultaneously against the same storage account. The reason why we require this is that the WVD app references a mapped drive. The users need to be able to transfer files to the same mapping from their local ad on-prem joined computers.

I looked into ways around this such as seeing if there is a way to publish the file explorer as an app, but can't seem to do that. If there were a file browser utility that came with the RD Client it would be perfect.

I'm trying to host a static website on Azure storage with a custom domain and HTTPS.

I have created a storage account, uploaded my files, and enabled static site hosting. The site works nicely from the <foo>.web.core.windows.net domain provided by Azure.

I have created a CDN endpoint for the site with the origin hostname set to the primary endpoint provided by Azure, added a custom domain for my www subdomain, provisioned a CDN-managed certificate for it, and added a rule to redirect non-HTTPS requests to https://www.<my-domain>.com. This also works well.

Now I want my apex domain to redirect to my www subdomain.

CNAMEs aren't an option, but I have added an alias A record for @ pointing to my CDN endpoint and added the apex domain as a custom domain to the CDN.

Requests to http://<my-domain>.com redirect nicely, but requests to https://<my-domain>.com understandably give a scary SSL_ERROR_BAD_CERT_DOMAIN error. Azure does not support CDN-managed certificate for apex domains:

CDN-managed certificates are not available for root or apex domains. If your Azure CDN custom domain is a root or apex domain, you must use the Bring your own certificate feature.

I don't want to actually host anything on my apex domain—I just want to redirect it to my www subdomain. Manually provisioning (and maintaining) a certificate seems like a lot of overhead.

The domain registrar, GoDaddy, has a "forwarding" feature that did what I want, but I prefer to keep my DNS hosted with Azure.

Is there a way to redirect apex domain HTTPS requests to my www subdomain without manually provisioning a certificate for my apex domain or moving my DNS out of Azure?