In MedStack Control you have the ability to set up and work with Azure Blob for storing objects, including static and dynamic assets. This service, as with all MedStack services, is provisioned with the necessary privacy and security controls for HIPAA compliance. There are a variety of ways that you can securely interface with Azure Blob:
- Through an app running on MedStack
- Using Azure CLI
- Using Microsoft Azure Explorer on your Workstation
This article demonstrates each of the methods listed above.
Before you can interact with Azure Storage, you need to create a Shared Access Signature (SAS) token. This article goes through the steps of how you can generate a SAS token in MedStack Control to access a container or a blob in your object store.
Create a SAS token in MedStack Control
The MedStack Control dashboard allows you to create SAS tokens and token URLs for accessing containers and blobs.
- Containers are folder-like structures on Azure Blob. Containers are only one level deep and only contain blobs within them. A container cannot be nested within another container.
- Blobs are objects that are stored within containers. They represent data that are secured stored on Azure Blob ranging from static page assets to dynamic assets controlled by users including images and documents.
Once you have logged into MedStack Control, head to the Control section and select a cluster that you'd like to set up Azure Blob within. At the bottom of the cluster overview, you'll see a "Storage Account" section at the bottom of the page.
Note: Storage accounts are not enabled automatically, you will need to create a ticket with MedStack Support and request for the Storage account to be enabled for your company.
Create a Storage Account
Clicking on the "Create storage account" button will create a storage account for you with a unique name.
Create a Container
Clicking on the "Manage" button will take you to the manage storage account page.
On the manage storage account page, click on the "Create container" button and fill out the form with a container name and click "Create".
Note: The container name can only contain numbers, lowercase letters and hyphens (-).
You should see the container with the name you entered in the form on the Manage storage account page.
Generate SAS token
A SAS token can be generated for a container or for a specific blob inside the container. In order to create a SAS token for a specific container, click on the "Generate token" button beside the container name.
On the Generate SAS token page:
- Select the scope of the token - either a container or a blob.
- Choose your permissions based on the scope you'd like the token to have.
- Select an end date (expiry date) of the SAS token.
- Click the "Generate SAS Token and URL" button the generate the token.
Note: If you are using the SAS token from within the cluster, you do not need to include anything in the "Allowed IP range" text field. However, if the SAS token will be used from outside of the container, you need to enter your public IP address in the "Allowed IP range" text field.
Allow IP Addresses to access the Storage Account
If you wish to interact with Azure Blob from outside the cluster using any SAS token generated, you can apply a global allowed IP rule to the Storage Account. The stringent networking rules applied to clusters on MedStack Control prevent external requests to cluster resources except for those from allowed IP addresses.
A common case for creating a global allowed IP address access rule is when permitting a local machine to access the Storage Account. In this section, we'll review adding an allowed IP address rule.
On the manage storage account page, click on the "Allowed IPs" tab and then click on the "New Rule" button.
Enter a Rule name and an IP address, then click "Create".
You will see the rule added in the Allowed IP addresses section.
Allow IP Addresses to access the Storage Account using SAS Token rules
In the event that you do not wish to create a global allowed IP address rule on the Storage Account, you can include an allowed IP range when provisioning the SAS token. This will permit requests from allowed IP addresses using only the generated SAS token without needing to provision an allowed IP address rule for the entire Storage Account.
The steps for generating the SAS token are the same as mentioned above. However, you will need to fill the "Allowed IP range" text field before you generate the SAS token.