Azure - Central point of connection-strings management

Question

I have 10 web sites, couple of web jobs and some restful WebApis. All of them use the same Azure Table and the same Azure Blob Storage.

The question is: how to centralize connection string management? I would like to have one central storage of connection strings to the Table and Blob. And I would like all websites, WebApis and so on to use this connection-string repository.

On the code side I would like it to be as seamless as possible.

How can I achieve it in Azure?

Answer 1

Take a look at Azure Key Vault. This is one of the scenarios it is intended for. Instructions to get started setting up your Key Vault are here and instructions on how to retrieve your connection strings from the vault is available here.

By using Key Vault, the web app doesn't store the connection strings. Instead, they are stored and managed in Azure Key Vault. Each web app that needs the connection string(s) will be registered as such in Azure AD and therefore have a unique Client ID and service principal that can be used to set access policies in the key vault. The web app uses a Uri generated by Key Vault to retrieve the connection strings at runtime from the vault.

Note: In the reference above it mentions two ways for your web app to authenticate to Azure AD. One is to use Client ID and secret, which is easier but not really "secure". However, it does solve your problem of a single centralized place to store and manage your connection strings with little effort. The other option is to authenticate using Client ID and Certificate. Personally, I recommend the latter because it truly is more secure and the effort to set this up isn't that much.