Skip to main content

Azure Blob Storage

This document describes how to securely connect a Ververica Cloud workspace to Azure Blob Storage using a private connection.

The procedure uses a User-Assigned Managed Identity (UAMI) with a Federated Credential, which enables Azure AD Workload Identity. This pattern allows the Ververica Cloud to authenticate to Azure without using client secrets or other stored credentials.

Prerequisites

Before you begin, ensure you have the following:

  • An active Azure subscription where you can create resources. The Microsoft.Storage and Microsoft.Network resource providers must be registered.
  • An existing resource group to deploy the resources into.
  • Permissions in Azure to create Storage Accounts, User-Assigned Managed Identities, and create and assign custom RBAC roles at the subscription scope (e.g., Owner or User Access Administrator).
  • Access to your Ververica Cloud workspace to retrieve identity provider values and create the final connection.
  • Azure resources in the same region as your Ververica Cloud workspace’s data‑plane. Private Link is regional; it cannot span Azure regions.

Phase 1: Provision Core Azure Resources

First, create the storage account and the managed identity that will act on behalf of your Ververica workload.

Step 1: Create a Storage Account

  1. In the Azure Portal, navigate to Storage accounts and click + Create.

  2. On the Basics tab, fill in the required details:

    • Subscription: Select your target subscription.
    • Resource group: Choose the appropriate resource group.
    • Storage account name: Enter a globally unique, lowercase name (e.g., vvcprodstor).
    • Region: Select the Azure region for your account.
    • Performance: Choose Standard for most scenarios or Premium for low-latency workloads.
    • Redundancy: Select a redundancy option appropriate for your availability needs (e.g., GRS)

  3. Proceed through the tabs to Review and click Create.

Step 2: Create a User-Assigned Managed Identity (UAMI)

info

To configure multiple private connections (for Event Hubs, Blob, etc.), you must reuse the same UAMI for every Azure resource.

  1. In the Azure Portal, search for and select Managed Identities.

  2. Click + Create.

  3. On the Basics tab, provide the following details:

    • Subscription: Select the same subscription used for your storage account.
    • Resource group: Select the same resource group.
    • Region: Select the same region.
    • Name: Provide a descriptive name for the identity (e.g., vvc-blob-connector-uami).

  4. Click Review + create, then Create.

Phase 2: Configure Permissions and Trust

For Blob Storage, a custom role is required to grant the precise permissions needed to manage private endpoints and access blob data, without granting excessive privileges.

Step 3: Create a Custom RBAC Role

  1. In the Azure Portal, navigate to Subscriptions and select your subscription.

  2. Go to Access control (IAM) -> + Add -> Add custom role.

  3. On the Basics tab, give the role a Custom role name (e.g., Ververica Private Endpoint and Blob Data).

  4. Go to the JSON tab and click Edit.

  5. Replace the entire "permissions" array with the following JSON block. This provides the minimum permissions required for managing the private endpoint connection and reading/writing blob data.

    "permissions": [
        {
            "actions": [
                "Microsoft.Storage/storageAccounts/privateEndpointConnections/read",
                "Microsoft.Storage/storageAccounts/privateEndpointConnections/write",
                "Microsoft.Storage/storageAccounts/privateEndpointConnections/delete"
            ],
            "notActions": [],
            "dataActions": [
                "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
                "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
                "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete"
            ],
            "notDataActions": []
        }
    ]

  6. Click Save, then proceed to Review + create, and finally Create the custom role.

Step 4: Assign the Custom Role to the UAMI

  1. Navigate to your Storage Account's Access Control (IAM) page.
  2. Click + Add -> Add role assignment.
  3. In the list of roles, find and select the custom role you just created (Ververica Private Endpoint and Blob Data).
  4. On the Members tab, select Managed identity and click + Select members.
  5. Find and select the UAMI created in Step 2.
  6. Click Review + assign to apply the role assignment.

Step 5: Create the Federated Credential

This step establishes the trust relationship between the UAMI in Azure and the Ververica Cloud service account.

  1. In your Ververica Cloud workspace, go to Configurations -> Private Connections.

  2. Under Connection Details, copy the Cluster Issuer URL, Namespace, and Service Account values.

  3. In the Azure Portal, navigate to your Managed Identity.

  4. Select Settings -> Federated credentials from the left menu and click + Add Credential.

  5. For the Federated credential scenario, select Kubernetes accessing Azure resources.

  6. Paste the values from Ververica Cloud into the corresponding fields:

    • Cluster issuer URL: Cluster Issuer URL value
    • Namespace: Namespace value
    • Service account name: Service Account value

  7. Give the credential a descriptive Name (e.g., vvc-blob-federation) and click Add.

Phase 3: Finalize in Ververica Cloud

Complete the setup by registering the identity in Ververica and creating the connection object.

Step 6: Register the Azure Identity in Ververica

  1. In the Azure Portal, go to your Settings -> UAMI's Properties page.
  2. Copy the Client ID and Tenant ID.
  3. In Ververica Cloud (Configurations -> Private Connections), paste the IDs into the Azure Identity Provider Client ID and Current Azure Identity Provider Tenant ID fields.
  4. Click Save. The status should become Ready.

Step 7: Create the Private Connection

  1. In the Ververica Cloud Private Connections tab, click + New Private Connection.

  2. Configure the details:

    • Connector Type: Select Azure Blob Storage.
    • Connection Name: Enter a name (e.g., blob-storage-connection).
    • Service Name: Paste the Resource ID of your Storage Account.
      • To find the Resource ID: In the Azure Portal, go to your Storage Account's JSON View on the Overview page and copy the id value.

  3. Click Save. After a brief period, the status should update to Created.

Step 8: Verify the Connection in Azure

Finally, confirm that the private endpoint was automatically created and approved in your storage account.

  1. Navigate to your Storage Account in the Azure Portal.
  2. From the left menu, select Networking.
  3. Click the Private endpoint connections tab.
  4. You should see a new private endpoint in the list with a Connection state of Approved. This confirms the secure connection is active.
On this page