Azure Storage Preconditions

This page provides the required information to help facilitate the provisioning of your Azure Storage Services ready for use by Luware Recording

SUBJECT TO CHANGE

Please note that this is an evolving service, with specifications subject to change in future. This document will be maintained based on any future specification changes that pertain to the sections in this document, (i.e. Microsoft Azure Storage Services Specification Changes by Microsoft).

 

Overview

This section assumes that you are familiar with the concepts of Azure Storage account services. Luware Recording requires that you create your own Azure Storage Account for the storage of your captured conversations.

You will setup the required Azure Storage Account and container using the guidance in this document. Luware will connect to the Azure Storage Account using a Private Endpoint connection and securely upload captured conversations in an encrypted format.

This document provides guidance required to setup the Storage Account, connectivity and encryption required to enable Luware Recording. 

Azure Storage Account Responsibility

It is the customers or partners responsibility to ensure the Azure Storage Account is correctly configured, therefore Luware recommend that customers or partners review configuration and security settings during creation and regularly to ensure data privacy and security. 

 

Supported Azure Storage Targets

Luware recommends Azure Storage with Blob containers for low cost, secure and version-level immutability locked files. File storage targets are supported for customers capturing conversations for quality.

Multiple Storage Accounts

Customers requiring multiple storage accounts, for example, in different regions, will require an additional addon from Luware Recording. Multiple containers on the same Storage Account are available in specific Solution Packages.

Connectivity Overview

Luware recommends Azure Private Endpoints for connectivity between the Luware Recording platform and the customers Azure Storage Account. This method of connectivity to your Azure storage makes use of a dedicated private IP Address for communication towards your Azure Storage Account over the Microsoft Network. Public IP Routing is not used in this method and therefore the data does not go over the public internet.

Luware will create and operate the private endpoint connection from Luware Recording to your Azure Storage Account. You must provide the Resource ID of the created Azure Storage Account for Luware to create the private endpoint connection. After creation, you will be requested to approve the private endpoint connection. 

Multi-Tenant Germany

NOTE

Please note that while this connectivity provides a more secure connection to your Azure Storage accounts, it will not provide any resiliency in the event Azure region Germany West Central experiences a failure.

Luware Recording Germany is deployed into Germany West Central and Germany North.

The Luware recording services in Germany North will cache the recordings until Germany West Central is back online at which point the recordings will be uploaded to the customers Azure Storage account via the private endpoint in Germany West Central.

Please see supported regions for Private Link services from Microsoft:

Azure Products by Region | Microsoft Azure

 
 
 

Multi-Tenant Switzerland

NOTE

Please note that while this connectivity provides a more secure connection to customers Azure Storage accounts it will not provide any resiliency in the event Azure region Switzerland North experiences a failure.

Luware Recording is deployed into Switzerland North and Switzerland West.

The Luware recording services in Switzerland West will cache the recordings until Switzerland North is back online at which point the recordings will be uploaded to the customers Azure Storage Account via the Private Endpoint in Switzerland North.

Please see supported regions for Private Link services from Microsoft:

Azure Products by Region | Microsoft Azure

 
 
 

There is no need to configure Firewall Access Control Lists for Luware Recording IP addresses and/or VNETs against the customer Azure Storage Account. However, it is recommended to restrict access.

The private endpoint uses an IP address from the dedicated Private Endpoint Luware Recording VNet address space. Network traffic between the Luware Recording VNet and your storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.

🔍 Also see Azure Storage Private Endpoints.

Storage Account Creation

Luware recommends the following sequence is used to create the Azure Storage Account and configure it within Luware Recording:

  1. Create or use an existing Subscription for the Storage Account.
  2. Enable Private Endpoint resources for the subscription.
  3. Create or use an existing Resource Group for the Storage Account.
  4. Create the Storage Account.
  5. Create the Storage Account container.
  6. Provide Luware with the Storage Account details.
  7. Securely input the Shared Access Key on Luware Recording.
  8. Accept the private endpoint connection request.
  9. Generate a certificate for encryption and signing.
  10. Share the certificate securely with Luware.

1. Subscription

An Azure subscription is required to create an Azure Storage Account. A subscription is a container used to provision resources in Azure. It holds the details of all your resources such as the resource group and Azure Storage Account. When you create an Azure resource like a Storage Account, you identify the subscription it belongs to. As you use the Storage Account, the usage of the Storage Account is aggregated and billed monthly.

For guidance with creating an Azure subscription contact your Azure specialist. 

2. Enable Private Endpoint Network Resources

To allow Luware to connect a Private Endpoint to your Azure Storage Account, first the Microsoft.Network resource must be enabled in the customers Azure subscription. Follow the below steps to enable private endpoint connectivity.

  1. Login to the Azure Portal
  2. Search for Subscriptions and select it from the drop down.
  3. Click the Subscription to be used for the Storage Account.
  4. On the navigation pane on the left, click Settings, click Resource Providers.
  5. Find the resource provider “Microsoft.Network”.
  6. Click Register.  

3. Resource Group

An Azure Resource Group is required to create an Azure Storage Account. A resource group is a container that holds related resources for an Azure solution. The resource group would usually only include the Luware Recording storage account, as we recommend splitting resources per solution. 

You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization. For guidance with creating an Azure subscription contact your Azure specialist. 

4. Create an Azure Storage Account

The following sections provide guidance on how to create the Azure Storage Account. For any Azure Storage specific queries not covered in the following sections, we recommend you contact your Azure specialists for assistance.

  1. Login to the Azure Portal.
  2. Search for Storage Accounts.
  3. Click Create.
  4. Follow the below guidance for configuration.

Basics

This section refers to the initial input values requested by Azure Portal for the initial creation of the Azure Storage Account.

Project Details

Field Options
Subscription Customer selects the Azure Subscription
Resource Group Customer selects the resource group

Instance Details

Field Options
Storage Account Name Customer selects a name for the Storage Account
Region Customer selects the region where data will be stored.
Primary Service Azure Blob Storage or Azure Data Lake Storage Gen 2
Performance

Standard (Recommended)*, 

Premium

Redundancy

LRS: Locally Redundant Storage (Low Cost). 

GRS: Geo-Redundant Storage (Recommended)**

Make Read Access to data available Enabled***

 * The Luware Recording application supports Standard performance level. If Premium is selected, only Block Blobs are supported.

** Geo-Redundant storage creates a read-only copy in a paired Azure region providing additional resiliency in case of Azure region data loss.  Luware recommends compliance data is stored in a GRS enabled Azure Storage Account.

*** Luware Recording will not be able to utilize the read-only GRS region in the event of a regional outage as the private endpoint connectivity is only available in the primary region. 

Advanced

Security

Luware recommends you review security options with your internal Azure security teams.

Field Options
Require secure transfer for REST API operations Enabled
Allow enabling anonymous access on individual containers Disabled
Enable Storage Account Access Key Enabled
Default to Azure Active Directory authorization in the Azure Portal Disabled
Minimum TLS Version Version 1.2
Permitted scope for copy operations (Preview) From storage accounts in the same Microsoft Entra Tenant (Recommended)*

* It's recommended to limit copy operations to storage accounts within the same Microsoft Entra tenant. This option does not impact Luware Recording.

Hierarchical Namespace

Field Options
Enable hierarchical namespace Disabled

Blob Storage

The access tier selection is the choice of the customer based on how the Luware Recording platform will be utilized. For example, if data is captured but not regularly played back, exported or accessed via APIs over a period of 12 months you can reduce cost by moving to cold storage. 

  • Hot: Optimized for frequently access data. Cost of storage is high but reduced cost on access, writes and modifications.
  • Cool: Optimized for infrequently accessed data and backup scenarios. Costs are averaged out between storage and read, writes and modifications.
  • Cold:  Optimized for rarely accessed data and backup scenario. Costs of storing data is low, however, the cost of reads, writes and modifications is high.

Luware recommends reviewing the Azure Cost Calculator to select the default access tier. In most customers use cases, the cold access tier provides the lowest Microsoft pricing. Luware recommends customers review the Azure Cost Analysis portal regularly to find potential cost savings by changing the default access tier. 

To estimate the Azure Storage costs before building the storage account, you can review our article here Storage Capacity article. 

Field
Options
Allow cross-tenant replication Disabled
Access Tier Hot, Cool or Cold (Recommended)

🔍 Also see Blog Storage Tiers.

Azure Files

Field
Options
Enable large file shares Enabled (Default)

Networking

Network Connectivity

Public Access to Storage Accounts

Do not use Public Access on Azure Storage Accounts as the storage account will be accessible from the Public Internet.

 
Field
Options
Network Access

Disable public access and use private access*   
 

* When disabling Public Network Access to the Azure Storage Account, you will not have access to the blobs within the container. If you require this access to the blobs, you must enable either allow access using selected virtual networks and IP Addresses or create your own Private Endpoint connection to the storage account. Luware do not recommend enabling public access.

Network Routing

Field
Options
Routing Preference Microsoft network routing

Data Protection

Recovery

Luware Recording does not require any of the recovery options for accidental or erroneous deletion or modification, however, if you are not confident in setting up Role Based Access Control to prevent actions on the storage account, at a minimum the soft delete for containers should be enabled. Enabling these features does have a significant cost impact.

Field
Options
Enable point-in-time restore for containers Disabled
 Enable soft delete for blobs  Disabled
 Enable soft delete for containers  Disabled*
 Enable soft delete for file shares  Disabled

* Enabling soft delete for containers protects against accidental deletion or modification of the container where captured recordings will be stored. This can be set to enabled with 30 days retention in case of accidental deletion. Luware recommend using immutability configured below which protects against accidental deletion of versions, files and containers.

Tracking

To enable Version-Level immutability support, known as file-level retention which provides Write Once Read Many (WORM) also known as Non-Erasable Non-Rewriteable (NENR) storage accounts and files it's recommended to enable Versioning for Blobs and Version-Level Immutability support. The Version-Level Immutability Support feature provides additional protection for your files by leveraging Azure's retention policies. Here’s what happens when the checkbox to enable this feature is selected:

  • File Locking: When enabled, Luware Recording will lock the uploaded file versions on Azure by applying the retention period configured within the Luware Recording upload policy.
  • Retention Period: During the retention period, the locked version of the file:
    • Cannot be deleted or modified, even by an Azure Admin.
    • Remains immutable until the retention period expires.
    • Retention cannot be reduced but can be increased using a Luware Recording policy.

This ensures that your files are protected against accidental or intentional deletion.

Important Note: Once a file version is locked, it is not editable, removable and cannot have it's retention reduced until the specified retention period ends. Ensure you understand the implications before enabling this feature, as even administrators cannot overwrite the immutability during the retention period.

For more detailed information on Azure's retention policies and immutability, refer to the official Microsoft documentation.

Field
For Quality Recording
For Compliance Recording
Enable versioning for blobs Optional* Enabled
Enable version-level immutability support Optional* Enabled

* For customers that capture records for quality purposes and need to delete captured files due to data privacy regulations such as GDPR, these options can be disabled. For compliance recording customers that need WORM/NENR storage locations these options MUST be enabled, the database records can still be deleted on request, but the files cannot be removed until the end of retention date has been reached. 

Encryption

Data in the Azure Storage account is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure Storage encryption is enabled for all storage accounts. Azure Storage encryption cannot be disabled. 

Field
Value
Encryption type

Microsoft-managed key (MMK) (Recommended),

Customer Managed Keys*

Enable support for customer-managed keys Blobs and files only
Enable infrastructure encryption

Enabled (Recommended),

Disabled

* Contact your internal Azure specialists for setting up customer managed keys.

Tags

Tags are metadata elements that you apply to your Azure resources. They're key-value pairs that help you identify resources based on settings that are relevant to your organization. 

For guidance with creating tags relevant to your organization contact your internal Azure specialist. 

Review and Create

Review configuration created in the previous sections. It's recommended to do this with your internal Azure specialist to ensure data privacy and security. Click create to build the Azure Storage Account, this process usually takes less than one minute. 

5. Create the Storage Account Container

A container organizes a set of blobs, similar to a directory in a file system. A storage account can include an unlimited number of containers, and a container can store an unlimited number of blobs. A container name must be a valid DNS name, as it forms part of the unique URI (Uniform resource identifier) used to address the container or its blobs. 

To create a container follow the below steps:

  1. Login to the Azure Portal
  2. Search for Storage Accounts
  3. Search for the Storage Account name you created earlier.
  4. On the navigation pane, click Data Storage.
  5. Click Containers.
  6. Click + Container
  7. Enter a Name, such as luwarerecording
  8. Anonymous Access Level: Private (No Anonymous Access)
  9. Click Create.

6. Provide Luware Storage Account Details

To create the private endpoint connection and the storage target within Luware Recording, we need certain details of the storage account. 

Template for Details

Fill in the below table and share it with your Luware Recording customer success specialist.

Property Value
Storage Account Name  
Storage Account Container Name  
Storage Account Resource Id  

Storage Account Name

  1. Login to the Azure Portal
  2. Search for Storage Accounts
  3. Search for the Storage Account name you created earlier.
  4. Copy the Name from the table.

Storage Account Container Name

  1. Login to the Azure Portal
  2. Search for Storage Accounts
  3. Search for the Storage Account name you created earlier.
  4. Click the Storage Account Name
  5. On the navigation pane on the left, click Data Storage, click Containers.
  6. Copy the name from the created container.

Storage Account Resource Id

  1. Login to the Azure Portal
  2. Search for Storage Accounts
  3. Search for the Storage Account name you created earlier.
  4. Click the Storage Account Name
  5. Click the JSON View button.
  1. Press the Copy button on the Resource Id.

Share these details with your Customer Success Specialist

Once you've collected all the required details, share these via email with your Customer Success Specialist. They will now create the Storage Account in Luware Recording. 

7. Securely Input the Shared Access Key

Once the Luware customer success specialist has created the storage account and the private endpoint connection, the customer or partner will be required to login to Luware Recording with an Admin account to input the Storage Account shared access key. 

Luware will notify you when we are ready for this step.

Shared Access Key

Luware Recording only supports authentication using the Storage Account shared access key. The Shared Access Key must not be shared, stored or transmitted in any communication method to anyone or any organisation. If you accidently share the Access Key, press the rotate key immediately.

Secure transfer of the key is achieved by the customer or partner directly entering the key into Luware Recording. Data transfer is encrypted using HTTPS and is written into the database with a proprietary hash which cannot be decoded by Luware. 

 

Copy the Storage Account Key

Follow the below steps to copy the Storage Account key.

  1. Login to the Azure Portal
  2. Search for Storage Accounts
  3. Search for the Storage Account name you created earlier.
  4. Click the Storage Account Name
  5. On the navigation pane on the left, Click Security + Networking, Click Access Keys.
  6. On Key1, click Show.
  7. Click the Copy button.

Input the Shared Access Key into Luware Recording

Follow the below steps to enter the Storage Account key.

  1. Login to Luware Recording with an Admin account.
  2. Hover over Data and Click Storage Accounts.
  1. Click the Storage Account which matches the name created.
  1. Paste the copied Storage Account Key1 into the Account Key text field.
  1. Click Save.

8. Accept the Private Endpoint Request

The Luware customer success specialist will inform you once our operations team have created the private endpoint connection. To approve the secure connectivity, follow the below steps:

  1. Login to the Azure Portal
  2. Search for Storage Accounts
  3. Search for the Storage Account name you created earlier.
  4. Click the Storage Account Name
  5. On the navigation pane on the left, Click Security + Networking, Click Networking.
  6. In the list, select the Luware Recording request and click Approve.

9. Generate a Certificate for Encryption and Signing

Luware Recording encrypts and signs all captured conversations before uploading them to your storage account ensuring data security and privacy. To enable this, Luware recommends customers generate a certificate specifically for this process in Luware Recording. If customers are unable to bring their own certificate, Luware will generate a new certificate specifically for the customer, however, these certificates cannot be shared with the customer.

Do not delete certificates after expiry

Luware do not delete certificates after they expire. Uploaded encrypted files will not be re-encrypted with the new certificate after the certificate expires as the files will be under retention on the Azure Storage Account.

Luware highly recommends generated certificates are permanently stored in a secure location such as an Azure Key Vault. If the encryption certificate is permanently deleted, the files are not retrievable. 

To find out more about how Luware securely store certificates, read our Luware Recording Security Whitepaper.

 

Customers or partners will have their own internal methods for generating certificates, therefore, we recommend you raise a request internally for certificate generation. 

The certificate requirements are as follows:

Property Value
Public Certificate Required No
Certificate Subject Customers choice
Subject Alternative Name Customers choice
Public Key RSA 512, 1024, 2048 (Recommended)*, 4096
Signature Algorithm SHA-256 (Recommended)*, SHA-512
Validity 1 year minimum
Certificate Chain Required No
Private Key Included Yes
Private Key Exportable Yes
Certificate bundle file format .pem, pfx
Delete certificate after expiry Never delete (Store in a Key Vault permanently)**

* Increasing the size of the key and/or signature algorithm may lead to delays in decryption for actions such as playback, exports and API requests.

** Do not delete encryption certificates after they expire. The files uploaded to the Azure Storage Account will not be re-encrypted with a new certificate when its replaced as they will be locked under retention. Files that are encrypted when a certificate is deleted cannot be decrypted.

10. Securely share the certificate with Luware

The Luware customer success specialist will provide you with a private sharing link to upload the certificate to Luware. Luware will then upload the certificate to a Luware Azure Key Vault to protect the certificate. 


Luware Support

INC Luware Support Address

Website https://luware.com/support/ Helpdesk https://helpdesk.luware.cloud  Servi

 Luware Website https://luware.com/support/
Luware Helpdesk https://helpdesk.luware.cloud 
Cloud Service Status https://status.luware.cloud/
Luware support contact details

Table of Contents