Povratne informacije Uredi

Make indexer connections to Azure Storage as a trusted service

  • Članak
  • 2 min. za čitanje

In Azure Cognitive Search, indexers that access Azure blobs can use the trusted service exception to securely access data. This mechanism offers customers who are unable to grant indexer access using IP firewall rules a simple, secure, and free alternative for accessing data in storage accounts.

Prerequisites

  • A search service with a system-assigned managed identity.

  • A storage account with the Allow trusted Microsoft services to access this storage account network option.

  • Content in Azure Blob Storage or Azure Data Lake Storage Gen2 (ADLS Gen2) that you want to index or enrich.

  • Optionally, containers or tables in Azure Storage for AI enrichment write-back operations, such as creating a knowledge store, debug session, or enrichment cache.

  • An Azure role assignment. A system managed identity is an Azure AD login. It needs either a Storage Blob Data Reader or Storage Blob Data Contributor role assignment, depending on whether write access is needed.

Note

In Cognitive Search, a trusted service connection is limited to blobs and ADLS Gen2 on Azure Storage. It's unsupported for indexer connections to Azure Table Storage and Azure File Storage.

A trusted service connection must use a system managed identity. A user-assigned managed identity isn't currently supported for this scenario.

Check service identity

  1. Sign in to Azure portal and find your search service.

  2. On the Identity page, make sure that a system assigned identity is enabled. Remember that user-assigned managed identities, currently in preview, won't work for a trusted service connection.

    Screenshot of a system identity object identifier.

Check network settings and permissions

  1. Sign in to Azure portal and find your storage account.

  2. In the left navigation pane under Security + networking, select Networking.

  3. On the Firewalls and virtual networks tab, allow access from Selected networks.

  4. Scroll down to the Exceptions section.

    Screenshot of the firewall and networking page for Azure Storage in the portal.

  5. Make sure the checkbox is selected for Allow Azure services on the trusted services list to access this storage account.

    This option will only permit the specific search service instance with appropriate role-based access to the storage account (strong authentication) to access data in the storage account, even if it's secured by IP firewall rules.

  6. In the left navigation pane under Access Control, view all role assignments and make sure that Storage Blob Data Reader is assigned to the search service system identity.

Set up and test the connection

The easiest way to test the connection is by running the Import data wizard.

  1. Start the Import data wizard, selecting the Azure Blob Storage or Azure Data Lake Storage Gen2.

  2. Choose a connection to your storage account, and then select System-assigned. Select Next to invoke a connection. If the index schema is detected, the connection succeeded.

    Screenshot of the Import data wizard data source connection page.

See also