It is really quite simple to\u00a0lock the SAS-Token to a certain ip range. You just use one of the overlapped methods of GetSharedAccessSignature that takes the IPAddressOrRange object as the last parameter. The IPAddressOrRange takes a from-to addres range, which means you have to specify it as 11.22.33.41 and 11.22.33.49 if that is the range you want.<\/p>\n
The generated url must be passed on and perhaps stored in a config file in the sending application.<\/p>\n Using the SAS-token to upload files<\/strong><\/p>\n Since you only have a SAS-Token for a Container and not the key to the Storage Account, you have to work directly with the Container when you upload files. The code to upload a file is really just a few lines. The SAS-Token is read from the config file and we grab access to the Container using it. The GetBlockBlobReference names the blob and gives us a reference to where we would like to upload it to.<\/p>\n If you try to do this from an ip address that is not in the allowed range, the upload will fail with a HTTP 403 Forbidden status code.<\/p>\n Summary<\/strong><\/p>\n This technique is publically documented but\u00a0yet suprisingly many people I’ve met do not know it and therefor say that you can’t limit who can upload files to an Azure Storage Container. Generating a SAS-Token with the IPAddressOrRange specifies may be just what you are looking for since it retricts access to ip addresses.<\/p>\n References<\/strong><\/p>\n MSDN Documentation for GetSharedAccessSignature![\"SAS-Tokens-2-Generate\"](\"https:\/\/blog.redbaronofazure.com\/wp-content\/uploads\/2016\/02\/SAS-Tokens-2-Generate.png\")
<\/a>In the above example, the SAS-Token is generated on the Container level with permission to Write for a certain amount of time, so that the sending application can upload files to this container.<\/p>\n<\/a><\/p>\n
\nhttps:\/\/msdn.microsoft.com\/en-us\/library\/azure\/mt616570.aspx<\/a><\/p>\n