Azure Cloud Shell - Multi Cloud Architect, Security Specialist

Where is the Storage Coming From?

It comes from containers already running on Azure. When you click on the Azure Cloud Shell icon, your cloud shell connects to one of many containers nearest to your location.

These containers are already provisioned and are ready to serve a cloud shell session.

You get a home drive on these containers ( $home) - using your shell you’ll notice two folders present there –

.cloudconsole is for bash files, and
.pscloudshell is to persist you PowerShell files and modules

cd $home\clouddrive

# this is where all PS modules live
dir .\.pscloudshell\WindowsPowerShell\Modules

Creating the initial storage account using Powershell

$param = @{
    ResourceGroupName = 'test-cloud-shell-storage' 
    Name = 'NewTestStorageAccount' 
    SkuName = 'Standard_LRS'
    Location = 'south central us'
}
New-AzureRmStorageAccount @param -verbose

Dismount-CloudDrive -Force -Verbose

Figuring out which File Share and Storage Account Azure is using

First read the docs 🙂.

The DF command
PS /home/myusename> df

Mapping your LOCAL drive to the Azure File Share

You could additionally map your local drive to Azure's file storage to facilitate uploading of local artifcats.

Cloud Shell in Azure allows you to map your local workstation drive to transfer files to Azure. Also read - Google App Engine via gcloud.

Azure will kindly provide you with the powershell script to map your local drive - using the Get-PSdrive cmdlet in powershell. However, you will most likely encounter ' The specified network name is no longer available...' error.

To get around this error (i.e. to successfully map a local drive to the Azure file share )

You may have to disable antivirus
You need to enable SMB file share (from 'Turn Windows Features on / off'). That too SMB 1.0 - with known security holes.
Enable services Computer Browser, Server & Workstation

With these steps, I was able to surmount ' the specified network name is no longer available ' error - and get a local drive mounted on the same file share that cloud shell was using. But, I basically left my local workstation in a vulnerable state (disabled antivirus, enabled SMB 1.0 sharing)

Summary - Azure Cloud Shell Security

The storage comes from a set of predefined storage accounts (containerized storage) that Azure has deployed in a geo available manner. Azure automatically picks one of these for you - and that should be the end of story (you should be able to use these azure hosted storage accounts for your cloud shell).

You could additionally map your local drive to Azure's file storage to facilitate uploading of local artifcats.

This, however, comes with a set of security risks as outlined above. Note that GCP accomplishes the same thing (cloud shell) by launching an entire lightweight VM as part of it's cloud shell. All with a built-in code editor. And no security loopholes.

Ready to start a conversation? Set up a 1 on 1 appointment with Anuj to assist with your cloud journey.

No Comments Yet

Leave a Reply Cancel reply