| title | description | services | author | ms.service | ms.topic | ms.date | ms.author | ms.component |
|---|---|---|---|---|---|---|---|---|
Require secure transfer in Azure Storage | Microsoft Docs |
Learn about the "Secure transfer required" feature for Azure Storage, and how to enable it. |
storage |
fhryo-msft |
storage |
article |
06/20/2017 |
fryu |
common |
The "Secure transfer required" option enhances the security of your storage account by only allowing requests to the account from secure connections. For example, when you're calling REST APIs to access your storage account, you must connect by using HTTPS. "Secure transfer required" rejects requests that use HTTP.
When you use the Azure Files service, any connection without encryption fails when "Secure transfer required" is enabled. This includes scenarios that use SMB 2.1, SMB 3.0 without encryption, and some versions of the Linux SMB client.
By default, the "Secure transfer required" option is disabled when you create a storage account with SDK. And it's enabled by default when you create a storage account in Azure Portal.
Note
Because Azure Storage doesn't support HTTPS for custom domain names, this option is not applied when you're using a custom domain name. And classic storage accounts are not supported.
You can turn on the "Secure transfer required" setting when you create a storage account in the Azure portal. You can also enable it for existing storage accounts.
- Open the Create storage account pane in the Azure portal.
- Under Secure transfer required, select Enabled.
- Select an existing storage account in the Azure portal.
- In the storage account menu pane, under SETTINGS, select Configuration.
- Under Secure transfer required, select Enabled.
To require secure transfer programmatically, use the setting supportsHttpsTrafficOnly in storage account properties with REST API, tools, or libraries:
- REST API (version: 2016-12-01)
- PowerShell (version: 4.1.0)
- CLI (version: 2.0.11)
- NodeJS (version: 1.1.0)
- .NET SDK (version: 6.3.0)
- Python SDK (version: 1.1.0)
- Ruby SDK (version: 0.11.0)
This sample requires the Azure PowerShell module version 4.1 or later. Run Get-Module -ListAvailable AzureRM to find the version. If you need to install or upgrade, see Install Azure PowerShell module.
Run Connect-AzureRmAccount to create a connection with Azure.
Use the following command line to check the setting:
> Get-AzureRmStorageAccount -Name "{StorageAccountName}" -ResourceGroupName "{ResourceGroupName}"
StorageAccountName : {StorageAccountName}
Kind : Storage
EnableHttpsTrafficOnly : False
...
Use the following command line to enable the setting:
> Set-AzureRmStorageAccount -Name "{StorageAccountName}" -ResourceGroupName "{ResourceGroupName}" -EnableHttpsTrafficOnly $True
StorageAccountName : {StorageAccountName}
Kind : Storage
EnableHttpsTrafficOnly : True
...
[!INCLUDE sample-cli-install]
[!INCLUDE quickstarts-free-trial-note]
Use the following command line to check the setting:
> az storage account show -g {ResourceGroupName} -n {StorageAccountName}
{
"name": "{StorageAccountName}",
"enableHttpsTrafficOnly": false,
"type": "Microsoft.Storage/storageAccounts"
...
}
Use the following command line to enable the setting:
> az storage account update -g {ResourceGroupName} -n {StorageAccountName} --https-only true
{
"name": "{StorageAccountName}",
"enableHttpsTrafficOnly": true,
"type": "Microsoft.Storage/storageAccounts"
...
}
Azure Storage provides a comprehensive set of security capabilities, which together enable developers to build secure applications. For more details, go to the Storage Security Guide.