Public IP and Storage Account Key considerations
Last updated
Last updated
Bsure has thoroughly evaluated various alternatives to avoid using a storage account key or public IP. While more advanced configurations are technically possible using several Azure components configured by the customer themselves, we found that it will introduce significant complexity and cost.
Using public IP and storage account key has a low risk the way Bsure setup is done.
Both data collector and Power Bi Service needs access to the storage account. Power Bi Service is the most complex solution to connect to a storage account.
🔐 Why public IP is usually used:
Power BI Service (which runs in Microsoft's cloud) accesses data sources like Azure Storage over the internet by default. The easiest way to enable this is to allow access via public IP — which is what most built-in connectors (like Azure Blob, ADLS Gen2) are designed to use.
✅ To avoid public IP:
You’d need to:
Use Private Endpoint on the Storage Account.
Connect Power BI to the Storage Account via a VNet (Virtual Network).
Set up a Data Gateway that resides in that VNet and can route traffic internally.
Ensure that network rules on the Storage Account deny public access and only allow traffic from the private endpoint.
But here’s the catch:
🔄 Power BI Service does not support VNets or Private Endpoints directly.
So, you must use an on-premises Data Gateway (hosted either in a VM in Azure within a VNet, or on-premises) as an intermediary.
There is a possibility to , but this option requires a Power BI Premium capacity license ( A4 SKU or higher or any P SKU) or a Fabric license (any SKU).
✅ Simplicity
✅ Yes
❌ Complex
🔁 Automation Support
✅ Yes
❌ Limited
💸 Cost
✅ Low
❌ High (requires extra Azure resources)
🔐 Security
✅ Secure with managed identity & key vault
✅ Very secure
⚙️ Governance
✅ Enforced via Key Vault
✅ Enforced via VNet policies
While it's generally recommended to avoid using a public IP and storage account key due to governance and key management considerations, Bsure Insights has implemented a secure and well-governed setup to mitigate these concerns.
Here’s how it works:
A dedicated Storage Account is created specifically by each customer.
The storage account key is provided once during the installation of Bsure Insights and is immediately stored in a secure Azure Key Vault. NB: If storage account keys are rotated Bsure Insights will stop working and a complete reinstallation is then required.
Neither the customer nor Bsure has access to this key in the Bsure Insights key vault—only a dedicated Managed Identity, used by the Bsure Insights application, has access.
When the Power BI app is installed, the key is entered once during setup and is not needed again.
The app is then shared internally with your organization’s users, and access is controlled by your existing Microsoft Entra ID (formerly Azure AD) mechanisms.
In other words, the key is protected from exposure, and Bsure Insights is built to ensure that it remains secure throughout the lifecycle of the solution.
While using a storage account key does require careful handling, our approach minimizes risk by combining secure key management with strict access controls. This allows us to deliver a secure, cost-effective, and fully automated setup without compromising on governance or compliance.
For more details on our approach to security and privacy, please refer to our documentation: