Securing and Monitoring Data in Azure Data Lake
Data Lake forms the key storage layer for data engineering pipelines. Security and the monitoring of Data Lake accounts are key aspects of Data Lake maintenance. This chapter will focus on configuring security controls such as firewalls, encryption, and creating private links to a Data Lake account. By the end of this chapter, you will have learned how to configure a firewall, virtual network, and private link to secure the Data Lake, encrypt Data Lake using Azure Key Vault, and monitor key user actions in Data Lake.
We will be covering the following recipes in this chapter:
- Configuring a firewall for an Azure Data Lake account using the Azure portal
- Configuring virtual networks for an Azure Data Lake account using the Azure portal
- Configuring private links for an Azure Data Lake account
- Configuring encryption using Azure Key Vault for Azure Data Lake
- Accessing Blob storage accounts using managed identities
- Creating an alert to monitor an Azure Data Lake account
- Securing an Azure Data Lake account with an SAS using PowerShell
Configuring a firewall for an Azure Data Lake account using the Azure portal
Data Lake account access can be restricted to an IP or a range of IPs by whitelisting the allowed IPs in the storage account firewall. In this recipe, we'll learn to restrict access to a Data Lake account using a firewall.
Getting ready
Before you start, perform the following steps:
- Open a web browser and go to the Azure portal at https://portal.azure.com.
- Make sure you have an existing storage account. If not, create one using the Provisioning an Azure storage account using the Azure portal recipe in Chapter 1, Creating and Managing Data in Azure Data Lake.
How to do it…
To provide access to an IP or range of IPs, follow these steps:
- In the Azure portal, locate and open the Azure storage account. In our case, the storage account is packtadestoragev2, created in the Provisioning an Azure storage account using the Azure portal recipe of Chapter 1, Creating and Managing Data in Azure Data Lake.
- On the storage account page, in the Security + Networking section, locate and select Firewalls and virtual networks.
As the packtadestoragev2 account was created with public access, it can be accessed from all networks.
- To allow access from an IP or an IP range, click on the Selected networks option on the storage account on the Firewalls and virtual networks page:
Figure 2.1 – Azure Storage – Firewalls and virtual networks
- In the Selected networks option, scroll down to the Firewall section. To give access to your machine only, select the Add your client IP address option. To give access to a different IP or range of IPs, type in the IPs in the Address range section:
Figure 2.2 – The whitelist IPs in the Azure Storage Firewall section
- To access storage accounts from Azure services such as Azure Data Factory and Azure Functions, check Allow Azure services on the trusted services list to access this storage account under the Exceptions heading.
- Click Save to save the configuration changes.
How it works…
Firewall settings are used to restrict access to an Azure storage account to an IP or range of IPs. Even if a storage account is public, it will only be accessible to the whitelisted IPs defined in the firewall configuration.
Configuring virtual networks for an Azure Data Lake account using the Azure portal
A storage account can be public which is accessible to everyone, public with access to an IP or range of IPs, or private with access to selected virtual networks. In this recipe, we'll learn how to restrict access to an Azure storage account in a virtual network.
Getting ready
Before you start, perform the following steps:
- Open a web browser and go to the Azure portal at https://portal.azure.com.
- Make sure you have an existing storage account. If not, create one using the Provisioning an Azure storage account using the Azure portal recipe in Chapter 1, Creating and Managing Data in Azure Data Lake.
How to do it…
To restrict access to a virtual network, follow the given steps:
- In the Azure portal, locate and open the storage account. In our case, it's packtadestoragev2. On the storage account page, in the Security + Network section, locate and select Firewalls and virtual networks | Selected networks:
Figure 2.3 – Azure Storage – Selected networks
- In the Virtual networks section, select + Add new virtual network:
Figure 2.4 – Adding a virtual network
- In the Create virtual network blade, provide the virtual network name, Address space details, and Subnet address range. The remainder of the configuration values are pre-filled, as shown in the following screenshot:
Figure 2.5 – Creating a new virtual network
- Click on Create to create the virtual network. This is created and listed in the Virtual Network section, as shown in the following screenshot:
Figure 2.6 – Saving a virtual network configuration
- Click Save to save the configuration changes.
How it works…
We first created an Azure virtual network and then added it to the Azure storage account. Creating the Azure virtual network from the storage account page automatically fills in the resource group, location, and subscription information. The virtual network and the storage account should be in the same location.
The address space specifies the number of IP addresses in a given virtual network.
We also need to define the subnet within the virtual network that the storage account will belong to. We can also create a custom subnet. In our case, for the sake of simplicity, we have used the default subnet.
This allows the storage account to only be accessed by resources that belong to the given virtual network. The storage account is inaccessible to any network other than the specified virtual network.
Configuring private links for an Azure Data Lake account
In this recipe, we will be creating a private link to a storage account and using private endpoints to connect to it.
Private links and private endpoints ensure that all communication to the storage account goes through the Azure backbone network. Communications to the storage account don't use a public internet network, which makes them very secure.
Getting ready
Before you start, perform the following steps:
- Open a web browser and go to the Azure portal at https://portal.azure.com.
- Make sure you have an existing storage account. If not, create one using the Provisioning an Azure storage account using the Azure Portal recipe in Chapter 1, Creating and Managing Data in Azure Data Lake.
- Make sure you have an existing virtual network configured to the storage account. If not, create one using the Configuring virtual networks for an Azure Data Lake account using the Azure portal recipe in this chapter.
How to do it…
Perform the following steps to configure private links to a Data Lake account:
- Log in to the Azure portal and click on the storage account.
- Click on Networking | the Private Endpoints tab.
- Click on the + Private endpoint button, as shown here:
Figure 2.7 – Creating a private endpoint to a storage account
- Provide an endpoint name, as shown in the following screenshot:
Figure 2.8 – Providing an endpoint name
- In the Resource tab, set Target sub-resource to dfs. Distributed File Systems (DFS) is sub-source if we are connecting to Data Lake Storage Gen2. The rest of the fields are auto-populated. Proceed to the Configuration section:
Figure 2.9 – Setting the target resource type to dfs
- Create a private Domain Name System (DNS) zone by picking the same resource group where you created the storage account, as shown in the following screenshot:
Figure 2.10 – Creating a private DNS
- Hit the Create button to create the private DNS link.
- After the private endpoint is created, open it in the Azure portal. Click on DNS configuration:
- Make a note of the FQDN and IP addresses details. The FQDN is the Fully Qualified Domain Name, which will resolve to the private IP address if, and only if, you are connected to the virtual network.
With the preceding steps, we have created a private endpoint that will use private links to connect to a storage account.
How it works…
We have created a private link to a storage account and ensured that traffic goes through the Microsoft backbone network (and not the public internet), as we will be accessing the storage account via a private endpoint. To show how it works, let's resolve the private URL link from the following locations. Let's perform the following:
- Use
nslookup
to look up a private URL link from your local machine. - Use
nslookup
to look up a private URL link from a virtual machine inside the virtual network.
On your machine, open Command Prompt and type nslookup <FQDN of private link>
, as shown in the following screenshot:
Figure 2.12 – Testing a private endpoint connection outside of the virtual network
nslookup
resolves the private link to an incorrect IP address, as your machine is not part of the virtual network. To see it working, perform the following instructions:
- Create a new virtual machine in the Azure portal. Ensure to allow a remote desktop connection to the virtual machine, as shown in the following screenshot:
Figure 2.13 – Creating a new virtual machine and allowing a remote desktop
- Under Networking, select the virtual network in which the storage account resides:
Figure 2.14 – Configuring the virtual machine to use the virtual network
Once the virtual machine is created, log in to the virtual machine using a remote desktop and perform nslookup
to look up the private link URL again to resolve its IP address. nslookup
is a command that will resolve an URL to an IP address. We will use nslookup
to verify whether the private link URL resolves to a private IP address (10.x.x.x
) and not a public IP address.
nslookup
from a virtual machine inside the virtual network resolves correctly to the private IP address of the private link, as shown in the following screenshot. This shows that the connection goes through a virtual network only and doesn't use public internet:
Figure 2.15 – nslookup from the virtual network
With the previous recipe, we have successfully created a private link to a storage account, configured a private endpoint connection, and accessed it via a virtual machine to verify the connectivity. This recipe covers how you can securely connect to a storage account through virtual networks only by passing a public network.
Configuring encryption using Azure Key Vault for Azure Data Lake
In this recipe, we will create a key vault and use it to encrypt an Azure Data Lake account.
Azure Data Lake accounts are encrypted at rest by default using Azure managed keys. However, you have the option of bringing your own key to encrypt an Azure Data Lake account. Using your own key gives better control over encryption.
Getting ready
Before you start, perform the following steps:
- Open a web browser and go to the Azure portal at https://portal.azure.com.
- Make sure that you have an existing storage account. If not, create one using the Provisioning an Azure storage account using the Azure portal recipe in Chapter 1, Creating and Managing Data in Azure Data Lake.
How to do it…
Perform the following steps to add encryption to a Data Lake account using Azure Key Vault:
- Log in to portal.azure.com, click on Create a resource, search for
Key Vault
, and click on Create. Provide the key vault details, as shown in the following screenshot. Click on Review + Create:
Figure 2.16 – Creating an Azure key vault
- Go to the storage account to be encrypted. Search for
Encryption
on the left. Click on Encryption and select Customer-managed keys as the Encryption type. Click on Select a key vault and key at the bottom:
Figure 2.17 – Encrypting using customer-managed keys
- On the new screen, Select a key, select Key vault as Key store type and select the newly created PacktAdeKeyVault as Key vault. Click on Create new key, as shown in the following screenshot:
Figure 2.18 – Selecting Key Vault
- Provide a name for the key to be used for encryption of the storage account. The default option, Generate, ensures that the key is generated automatically. Click on Create:
- Once the key is created, the screen automatically moves to the key vault selection page in the Blob storage, and the newly created key is selected as the key. Click on Select:
Figure 2.20 – Selecting the key
- The screen moves to the encryption page on the Blob storage page. Click on Save to complete the encryption configuration.
How it works…
As the newly created key vault has been set for encryption on an Azure Data Lake account, all Data Lake operations (read
, write
, and metadata
) will use the key from Key Vault to encrypt and decrypt the data in Data Lake. The encryption and decryption operations are fully transparent and have no impact on users' operations.
The Data Lake account automatically gets permissions on the key vault to extract the key and perform encryption on data. You can verify this by opening the key vault in the Azure portal and clicking on Access Policies. Note that the storage account has been granted Get, wrap, and unwrap permissions on the keys, as shown in the next screenshot:
Figure 2.21 – Storage account permissions in Key Vault
Accessing Blob storage accounts using managed identities
In this recipe, we will grant permissions to managed identities on a storage account and showcase how you can use managed identities to connect to Azure Data Lake.
Managed identities are password-less service accounts used by Azure services such as Data Factory and Azure VMs to access other Azure services, such as Blob storage. In this recipe, we will show you how Azure Data Factory's managed identity can be granted permission on an Azure Blob storage account.
Getting ready
Before you start, perform the following steps:
- Open a web browser and go to the Azure portal at https://portal.azure.com.
- Make sure you have an existing storage account. If not, create one using the Provisioning an Azure storage account using the Azure portal recipe in Chapter 1, Creating and Managing Data in Azure Data Lake.
How to do it…
We will be testing accessing a Data Lake account using managed identities. To achieve this, we will create a Data Factory account and use Data Factory's managed identity to access the Data Lake account. Perform the following steps to test this:
- Create an Azure Data Factory by using the following PowerShell command:
$resourceGroupName = " packtadestorage"; $location = 'east us' $dataFactoryName = "ADFPacktADE2"; $DataFactory = Set-AzDataFactoryV2 -ResourceGroupName $resourceGroupName -Location $location -Name $dataFactoryName
- Go to the storage account in the Azure portal. Click on Access Control (IAM) and then Add, as shown in the following screenshot:
Figure 2.22 – Adding a role to a managed identity
- Select Add role assignment and search for the
Storage Blob Data Contributor
role. Select the role and click Next. Select Managed identity in Assign access to and click on + Select members, as shown in the following screenshot:
Figure 2.23 – Selecting the Data Factory managed identity
- Your subscription should be selected by default. From the Managed identity dropdown, select Data Factory (V2) (1). Select the recently created ADFPacktADE2 Data Factory and click on the Select button:
Figure 2.24 – Assigning a role to a managed identity
- Click on Review + Assign to complete the assignment. To test whether it's working, open the ADFPacktADE2 Data Factory that was created in step 1. Click on Open Azure Data Factory Studio, as shown in the next screenshot:
Figure 2.25 – Opening Azure Data Factory Studio
- Click on the Manage button on the left and then Linked services. Click on + New, as shown in the following screenshot:
Figure 2.26 – Creating a linked service in Data Factory
- Search for
Data Lake
and select Azure Data Lake Storage Gen 2 as the data store. Select Managed Identity for Authentication method. Select the storage account (packadestoragev2) for Storage account name. Click on Test connection:
Figure 2.27 – Testing a managed identity connection in Data Factory
A successful test connection indicates that we can successfully connect to a storage account using a managed identity.
How it works…
A managed identity for the data factory was automatically created when the Data Factory account was created. We provided the Storage Blob Data Contributor permission on the Azure Data Lake storage account to the managed identity of Data Factory. Hence, Data Factory was successfully able to connect to the storage account in a secure way without using a key/password.
Creating an alert to monitor an Azure storage account
We can create an alert on multiple available metrics to monitor an Azure storage account. To create an alert, we need to define the trigger condition and the action to be performed when the alert is triggered. In this recipe, we'll create an alert to send an email if the used capacity metrics for an Azure storage account exceed 5 MB. The used capacity threshold of 5 MB is not a standard and is deliberately kept low to explain the alert functionality.
Getting ready
Before you start, perform the following steps:
- Open a web browser and log in to the Azure portal at https://portal.azure.com.
- Make sure you have an existing storage account. If not, create one using the Provisioning an Azure storage account using the Azure portal recipe in Chapter 1, Creating and Managing Data in Azure Data Lake.
How to do it…
Follow these steps to create an alert:
- In the Azure portal, locate and open the storage account. In our case, the storage account is packtadestoragev2. On the storage account page, search for
alert
and open Alerts in the Monitoring section:
Figure 2.28 – Selecting Alerts
- On the Alerts page, click on + New alert rule:
Figure 2.29 – Adding a new alert
- On the Alerts | Create alert rule page, observe that the storage account is listed by default in the Resource section. You can add multiple storage accounts in the same alert. Under the Condition section, click Add condition:
Figure 2.30 – Adding a new alert condition
- On the Configure signal logic page, select Used capacity under Signal name:
Figure 2.31 – Configuring the signal logic
- On the Configure signal logic page, under Alert logic, set Operator to Greater than, Aggregation type to Average, and configure the threshold to 5 MiB. We need to provide the value in bytes:
Figure 2.32 – Configuring alert logic
Click Done to configure the trigger. The condition is added, and we'll be taken back to the Create alert rule page:
Figure 2.33 – Viewing a new alert condition
- The next step is to add an action to perform when the alert condition is reached. On the Create alert rule page, in the ACTIONS GROUPS section, click Create:
Figure 2.34 – Creating a new alert action group
- On the Add action group page, provide the Action group name, Display name, and Resource group details:
Figure 2.35 – Adding a new alert action group
Figure 2.36 – Selecting the alert action
- Click on Create to create the action group. We are then taken back to the Create rule page. The Email action is listed in the Action Groups section.
- The next step is to define the Severity, Alert rule name, and Alert rule description details:
Figure 2.37 – Creating an alert rule
- Click the Create alert rule button to create the alert.
- The next step is to trigger the alert. To do that, download
BigFile.csv
from the https://github.com/PacktPublishing/Azure-Data-Engineering-Cookbook-2nd-edition/blob/main/Chapter2/BigFile.csv file to the Azure storage account by following the steps mentioned in the Creating containers and uploading files to Azure Blob storage using PowerShell recipe of Chapter 1, Creating and Managing Data in Azure Data Lake. The triggered alerts are listed on the Alerts page, as shown in the following screenshot:
Figure 2.38 – Viewing alerts
- An email is sent to the email ID specified in the email action group. The email appears as shown in the following screenshot:
Figure 2.39 – The alert email
How it works…
Setting up an alert is easy. At first, we need to define the alert condition (a trigger or signal). An alert condition defines the metrics and threshold that, when breached, trigger the alert. We can define more than one condition on multiple metrics for one alert.
We then need to define the action to be performed when the alert condition is reached. We can define more than one action for an alert. In our example, in addition to sending an email when the used capacity is more than 5 MB, we can configure Azure Automation to delete the old blobs/files in order to maintain the Azure storage capacity within 5 MB.
There are other signals, such as transactions, ingress, egress, availability, Success Server Latency, and Success E2E Latency, on which alerts can be defined. Detailed information on monitoring Azure storage is available at https://docs.microsoft.com/en-us/azure/storage/common/storage-monitoring-diagnosing-troubleshooting.
Securing an Azure storage account with SAS using PowerShell
A Shared Access Signature (SAS) provides more granular access to blobs by specifying an expiry limit, specific permissions, and IPs.
Using an SAS, we can specify different permissions to users or applications on different blobs, based on the requirement. For example, if an application needs to read one file/blob from a container, instead of providing access to all the files in the container, we can use an SAS to provide read access on the required blob.
In this recipe, we'll learn to create and use an SAS to access blobs.
Getting ready
Before you start, go through the following steps:
- Make sure you have an existing Azure storage account. If not, create one by following the Provisioning an Azure storage account using PowerShell recipe in Chapter 1, Creating and Managing Data in Azure Data Lake.
- Make sure you have an existing Azure storage container. If not, create one by following the Creating containers and uploading files to Azure Blob storage using PowerShell recipe.
- Make sure you have existing blobs/files in an Azure storage container. If not, you can upload blobs by following the previous recipe.
- Log in to your Azure subscription in PowerShell. To log in, run the
Connect- AzAccount
command in a new PowerShell window and follow the instructions.
How to do it…
Let's begin by securing blobs using an SAS.
Securing blobs using an SAS
- Execute the following command in the PowerShell window to get the storage context:
$resourcegroup = "packtadestorage" $storageaccount = "packtadestoragev2" #get storage context $storagecontext = (Get-AzStorageAccount -ResourceGroupName $resourcegroup -Name $storageaccount). Context
- Execute the following commands to get the SAS token for the
logfile1.txt
blob in thelogfiles
container with list and read permissions:#set the token expiry time $starttime = Get-Date $endtime = $starttime.AddDays(1) # get the SAS token into a variable $sastoken = New-AzStorageBlobSASToken -Container "logfiles" -Blob "logfile1.txt" -Permission lr -StartTime $starttime -ExpiryTime $endtime -Context $storagecontext # view the SAS token. $sastoken
- Execute the following commands to list the blob using the SAS token:
#get storage account context using the SAS token $ctx = New-AzStorageContext -StorageAccountName $storageaccount -SasToken $sastoken #list the blob details Get-AzStorageBlob -blob "logfile1.txt" -Container "logfiles" -Context $ctx
You should get output as shown in the following screenshot:
Figure 2.40 – Listing blobs using an SAS
- Execute the following command to write data to
logfile1.txt
. Ensure you have theLogfile1.txt
file in theC:\ADECookbook\Chapter1\ Logfiles\
folder in the machine you are running the script from:Set-AzStorageBlobContent -File C:\ADECookbook\Chapter1\ Logfiles\Logfile1.txt -Container logfiles -Context $ctx
You should get output as shown in the following screenshot:
Figure 2.41 – Uploading a blob using an SAS
The write fails, as the SAS token was created with list and read access.
Securing a container with an SAS
- Execute the following command to create a container stored access policy:
$resourcegroup = "packtadestorage" $storageaccount = "packtadestoragev2" #get storage context $storagecontext = (Get-AzStorageAccount -ResourceGroupName $resourcegroup -Name $storageaccount). Context $starttime = Get-Date $endtime = $starttime.AddDays(1) New-AzStorageContainerStoredAccessPolicy -Container logfiles -Policy writepolicy -Permission lw -StartTime $starttime -ExpiryTime $endtime -Context $storagecontext
- Execute the following command to create the SAS token:
#get the SAS token $sastoken = New-AzStorageContainerSASToken -Name logfiles -Policy writepolicy -Context
- Execute the following commands to list all the blobs in the container using the SAS token:
#get the storage context with SAS token $ctx = New-AzStorageContext -StorageAccountName $storageaccount -SasToken $sastoken #list blobs using SAS token Get-AzStorageBlob -Container logfiles -Context $ctx
How it works…
To generate a shared access token for a blob, use the New-AzStorageBlobSASToken
command. We need to provide the blob name, container name, permission (l
= list, r
= read, and w
= write), and storage context to generate an SAS token. We can additionally secure the token by providing IPs that can access the blob.
We then use the SAS token to get the storage context using the New-AzStorageContext
command. We use the storage context to access the blobs using the Get-AzStorageBlob
command. Note that we can only list and read blobs and can't write to them, as the SAS token doesn't have write permissions.
To generate a shared access token for a container, we first create an access policy for the container using the New-AzStorageContainerStoredAccessPolicy
command. The access policy specifies the start and expiry time, permission, and IPs. We then generate the SAS token by passing the access policy name to the New-AzStorageContainerSASToken
command.
We can now access the container and the blobs using the SAS token.