SUBJECT TO CHANGE
Please note that this is an evolving service, with specifications subject to change in future. This document will be maintained based on any future specification changes that pertain to the sections in this document, (i.e. Microsoft Azure Storage Services Specification Changes by Microsoft).
Overview
This section assumes that you are familiar with the concepts of Azure Storage account services. Luware Recording requires that you create your own Azure Storage Account for the storage of your captured conversations.
You will setup the required Azure Storage Account and container using the guidance in this document. Luware will connect to the Azure Storage Account using a Private Endpoint connection and securely upload captured conversations in an encrypted format.
This document provides guidance required to setup the Storage Account, connectivity and encryption required to enable Luware Recording.
Azure Storage Account Responsibility
It is the customers or partners responsibility to ensure the Azure Storage Account is correctly configured, therefore Luware recommend that customers or partners review configuration and security settings during creation and regularly to ensure data privacy and security.
Supported Azure Storage Targets
Luware recommends Azure Storage with Blob containers for low cost, secure and version-level immutability locked files. File storage targets are supported for customers capturing conversations for quality.
Multiple Storage Accounts
Customers requiring multiple storage accounts, for example, in different regions, will require an additional addon from Luware Recording. Multiple containers on the same Storage Account are available in specific Solution Packages.
Connectivity Overview
Luware recommends Azure Private Endpoints for connectivity between the Luware Recording platform and the customers Azure Storage Account. This method of connectivity to your Azure storage makes use of a dedicated private IP Address for communication towards your Azure Storage Account over the Microsoft Network. Public IP Routing is not used in this method and therefore the data does not go over the public internet.
Luware will create and operate the private endpoint connection from Luware Recording to your Azure Storage Account. You must provide the Resource ID of the created Azure Storage Account for Luware to create the private endpoint connection. After creation, you will be requested to approve the private endpoint connection.
Multi-Tenant Germany
NOTE
Please note that while this connectivity provides a more secure connection to your Azure Storage accounts, it will not provide any resiliency in the event Azure region Germany West Central experiences a failure.
Luware Recording Germany is deployed into Germany West Central and Germany North.
The Luware recording services in Germany North will cache the recordings until Germany West Central is back online at which point the recordings will be uploaded to the customers Azure Storage account via the private endpoint in Germany West Central.
Please see supported regions for Private Link services from Microsoft:
Multi-Tenant Switzerland
NOTE
Please note that while this connectivity provides a more secure connection to customers Azure Storage accounts it will not provide any resiliency in the event Azure region Switzerland North experiences a failure.
Luware Recording is deployed into Switzerland North and Switzerland West.
The Luware recording services in Switzerland West will cache the recordings until Switzerland North is back online at which point the recordings will be uploaded to the customers Azure Storage Account via the Private Endpoint in Switzerland North.
Please see supported regions for Private Link services from Microsoft:
There is no need to configure Firewall Access Control Lists for Luware Recording IP addresses and/or VNETs against the customer Azure Storage Account. However, it is recommended to restrict access.
The private endpoint uses an IP address from the dedicated Private Endpoint Luware Recording VNet address space. Network traffic between the Luware Recording VNet and your storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.
🔍 Also see Azure Storage Private Endpoints.
Storage Account Creation
Luware recommends the following sequence is used to create the Azure Storage Account and configure it within Luware Recording:
- Create or use an existing Subscription for the Storage Account.
- Enable Private Endpoint resources for the subscription.
- Create or use an existing Resource Group for the Storage Account.
- Create the Storage Account.
- Create the Storage Account container.
- Provide Luware with the Storage Account details.
- Securely input the Shared Access Key on Luware Recording.
- Accept the private endpoint connection request.
- Generate a certificate for encryption and signing.
- Share the certificate securely with Luware.
1. Subscription
An Azure subscription is required to create an Azure Storage Account. A subscription is a container used to provision resources in Azure. It holds the details of all your resources such as the resource group and Azure Storage Account. When you create an Azure resource like a Storage Account, you identify the subscription it belongs to. As you use the Storage Account, the usage of the Storage Account is aggregated and billed monthly.
For guidance with creating an Azure subscription contact your Azure specialist.
2. Enable Private Endpoint Network Resources
To allow Luware to connect a Private Endpoint to your Azure Storage Account, first the Microsoft.Network resource must be enabled in the customers Azure subscription. Follow the below steps to enable private endpoint connectivity.
- Login to the Azure Portal
- Search for Subscriptions and select it from the drop down.
- Click the Subscription to be used for the Storage Account.
- On the navigation pane on the left, click Settings, click Resource Providers.
- Find the resource provider “Microsoft.Network”.
- Click Register.
3. Resource Group
An Azure Resource Group is required to create an Azure Storage Account. A resource group is a container that holds related resources for an Azure solution. The resource group would usually only include the Luware Recording storage account, as we recommend splitting resources per solution.
You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization. For guidance with creating an Azure subscription contact your Azure specialist.
4. Create an Azure Storage Account
The following sections provide guidance on how to create the Azure Storage Account. For any Azure Storage specific queries not covered in the following sections, we recommend you contact your Azure specialists for assistance.
- Login to the Azure Portal.
- Search for Storage Accounts.
- Click Create.
- Follow the below guidance for configuration.
Basics
This section refers to the initial input values requested by Azure Portal for the initial creation of the Azure Storage Account.
Project Details
Field | Options |
---|---|
Subscription | Customer selects the Azure Subscription |
Resource Group | Customer selects the resource group |
Instance Details
Field | Options |
---|---|
Storage Account Name | Customer selects a name for the Storage Account |
Region | Customer selects the region where data will be stored. |
Primary Service | Azure Blob Storage or Azure Data Lake Storage Gen 2 |
Performance |
Standard (Recommended)*, Premium |
Redundancy |
LRS: Locally Redundant Storage (Low Cost). GRS: Geo-Redundant Storage (Recommended)** |
Make Read Access to data available | Enabled*** |
* The Luware Recording application supports Standard performance level. If Premium is selected, only Block Blobs are supported.
** Geo-Redundant storage creates a read-only copy in a paired Azure region providing additional resiliency in case of Azure region data loss. Luware recommends compliance data is stored in a GRS enabled Azure Storage Account.
*** Luware Recording will not be able to utilize the read-only GRS region in the event of a regional outage as the private endpoint connectivity is only available in the primary region.
Advanced
Security
Luware recommends you review security options with your internal Azure security teams.
Field | Options |
---|---|
Require secure transfer for REST API operations | Enabled |
Allow enabling anonymous access on individual containers | Disabled |
Enable Storage Account Access Key | Enabled |
Default to Azure Active Directory authorization in the Azure Portal | Disabled |
Minimum TLS Version | Version 1.2 |
Permitted scope for copy operations (Preview) | From storage accounts in the same Microsoft Entra Tenant (Recommended)* |
* It's recommended to limit copy operations to storage accounts within the same Microsoft Entra tenant. This option does not impact Luware Recording.
Hierarchical Namespace
Field | Options |
---|---|
Enable hierarchical namespace | Disabled |
Blob Storage
The access tier selection is the choice of the customer based on how the Luware Recording platform will be utilized. For example, if data is captured but not regularly played back, exported or accessed via APIs over a period of 12 months you can reduce cost by moving to cold storage.
- Hot: Optimized for frequently access data. Cost of storage is high but reduced cost on access, writes and modifications.
- Cool: Optimized for infrequently accessed data and backup scenarios. Costs are averaged out between storage and read, writes and modifications.
- Cold: Optimized for rarely accessed data and backup scenario. Costs of storing data is low, however, the cost of reads, writes and modifications is high.
Luware recommends reviewing the Azure Cost Calculator to select the default access tier. In most customers use cases, the cold access tier provides the lowest Microsoft pricing. Luware recommends customers review the Azure Cost Analysis portal regularly to find potential cost savings by changing the default access tier.
To estimate the Azure Storage costs before building the storage account, you can review our article here Storage Capacity article.
Field |
Options |
---|---|
Allow cross-tenant replication | Disabled |
Access Tier | Hot, Cool or Cold (Recommended) |
🔍 Also see Blog Storage Tiers.
Azure Files
Field |
Options |
---|---|
Enable large file shares | Enabled (Default) |
Networking
Network Connectivity
Public Access to Storage Accounts
Do not use Public Access on Azure Storage Accounts as the storage account will be accessible from the Public Internet.
Field |
Options |
---|---|
Network Access | Disable public access and use private access* |
* When disabling Public Network Access to the Azure Storage Account, you will not have access to the blobs within the container. If you require this access to the blobs, you must enable either allow access using selected virtual networks and IP Addresses or create your own Private Endpoint connection to the storage account. Luware do not recommend enabling public access.
Network Routing
Field |
Options |
---|---|
Routing Preference | Microsoft network routing |
Data Protection
Recovery
Luware Recording does not require any of the recovery options for accidental or erroneous deletion or modification, however, if you are not confident in setting up Role Based Access Control to prevent actions on the storage account, at a minimum the soft delete for containers should be enabled. Enabling these features does have a significant cost impact.
Field |
Options |
---|---|
Enable point-in-time restore for containers | Disabled |
Enable soft delete for blobs | Disabled |
Enable soft delete for containers | Disabled* |
Enable soft delete for file shares | Disabled |
* Enabling soft delete for containers protects against accidental deletion or modification of the container where captured recordings will be stored. This can be set to enabled with 30 days retention in case of accidental deletion. Luware recommend using immutability configured below which protects against accidental deletion of versions, files and containers.
Tracking
To enable Version-Level immutability support, known as file-level retention which provides Write Once Read Many (WORM) also known as Non-Erasable Non-Rewriteable (NENR) storage accounts and files it's recommended to enable Versioning for Blobs and Version-Level Immutability support. The Version-Level Immutability Support feature provides additional protection for your files by leveraging Azure's retention policies. Here’s what happens when the checkbox to enable this feature is selected:
- File Locking: When enabled, Luware Recording will lock the uploaded file versions on Azure by applying the retention period configured within the Luware Recording upload policy.
-
Retention Period: During the retention period, the locked version of the file:
- Cannot be deleted or modified, even by an Azure Admin.
- Remains immutable until the retention period expires.
- Retention cannot be reduced but can be increased using a Luware Recording policy.
This ensures that your files are protected against accidental or intentional deletion.
Important Note: Once a file version is locked, it is not editable, removable and cannot have it's retention reduced until the specified retention period ends. Ensure you understand the implications before enabling this feature, as even administrators cannot overwrite the immutability during the retention period.
For more detailed information on Azure's retention policies and immutability, refer to the official Microsoft documentation.
Field |
For Quality Recording |
For Compliance Recording |
---|---|---|
Enable versioning for blobs | Optional* | Enabled |
Enable version-level immutability support | Optional* | Enabled |
* For customers that capture records for quality purposes and need to delete captured files due to data privacy regulations such as GDPR, these options can be disabled. For compliance recording customers that need WORM/NENR storage locations these options MUST be enabled, the database records can still be deleted on request, but the files cannot be removed until the end of retention date has been reached.
Encryption
Data in the Azure Storage account is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure Storage encryption is enabled for all storage accounts. Azure Storage encryption cannot be disabled.
Field |
Value |
---|---|
Encryption type |
Microsoft-managed key (MMK) (Recommended), Customer Managed Keys* |
Enable support for customer-managed keys | Blobs and files only |
Enable infrastructure encryption |
Enabled (Recommended), Disabled |
* Contact your internal Azure specialists for setting up customer managed keys.
Tags
Tags are metadata elements that you apply to your Azure resources. They're key-value pairs that help you identify resources based on settings that are relevant to your organization.
For guidance with creating tags relevant to your organization contact your internal Azure specialist.
Review and Create
Review configuration created in the previous sections. It's recommended to do this with your internal Azure specialist to ensure data privacy and security. Click create to build the Azure Storage Account, this process usually takes less than one minute.
5. Create the Storage Account Container
A container organizes a set of blobs, similar to a directory in a file system. A storage account can include an unlimited number of containers, and a container can store an unlimited number of blobs. A container name must be a valid DNS name, as it forms part of the unique URI (Uniform resource identifier) used to address the container or its blobs.
To create a container follow the below steps:
- Login to the Azure Portal
- Search for Storage Accounts
- Search for the Storage Account name you created earlier.
- On the navigation pane, click Data Storage.
- Click Containers.
- Click + Container
- Enter a Name, such as luwarerecording
- Anonymous Access Level: Private (No Anonymous Access)
- Click Create.
6. Provide Luware Storage Account Details
To create the private endpoint connection and the storage target within Luware Recording, we need certain details of the storage account.
Template for Details
Fill in the below table and share it with your Luware Recording customer success specialist.
Property | Value |
Storage Account Name | |
Storage Account Container Name | |
Storage Account Resource Id |
Storage Account Name
- Login to the Azure Portal
- Search for Storage Accounts
- Search for the Storage Account name you created earlier.
- Copy the Name from the table.
Storage Account Container Name
- Login to the Azure Portal
- Search for Storage Accounts
- Search for the Storage Account name you created earlier.
- Click the Storage Account Name
- On the navigation pane on the left, click Data Storage, click Containers.
- Copy the name from the created container.
Storage Account Resource Id
- Login to the Azure Portal
- Search for Storage Accounts
- Search for the Storage Account name you created earlier.
- Click the Storage Account Name
- Click the JSON View button.
- Press the Copy button on the Resource Id.
7. Securely Input the Shared Access Key
Shared Access Key
Luware Recording only supports authentication using the Storage Account shared access key. The Shared Access Key must not be shared, stored or transmitted in any communication method to anyone or any organisation. If you accidently share the Access Key, press the rotate key immediately.
Secure transfer of the key is achieved by the customer or partner directly entering the key into Luware Recording. Data transfer is encrypted using HTTPS and is written into the database with a proprietary hash which cannot be decoded by Luware.
Copy the Storage Account Key
Follow the below steps to copy the Storage Account key.
- Login to the Azure Portal
- Search for Storage Accounts
- Search for the Storage Account name you created earlier.
- Click the Storage Account Name
- On the navigation pane on the left, Click Security + Networking, Click Access Keys.
- On Key1, click Show.
- Click the Copy button.
Input the Shared Access Key into Luware Recording
Follow the below steps to enter the Storage Account key.
- Login to Luware Recording with an Admin account.
- Hover over Data and Click Storage Accounts.
- Click the Storage Account which matches the name created.
- Paste the copied Storage Account Key1 into the Account Key text field.
- Click Save.
8. Accept the Private Endpoint Request
The Luware customer success specialist will inform you once our operations team have created the private endpoint connection. To approve the secure connectivity, follow the below steps:
- Login to the Azure Portal
- Search for Storage Accounts
- Search for the Storage Account name you created earlier.
- Click the Storage Account Name
- On the navigation pane on the left, Click Security + Networking, Click Networking.
- In the list, select the Luware Recording request and click Approve.
9. Generate a Certificate for Encryption and Signing
Luware Recording encrypts and signs all captured conversations before uploading them to your storage account ensuring data security and privacy. To enable this, Luware recommends customers generate a certificate specifically for this process in Luware Recording. If customers are unable to bring their own certificate, Luware will generate a new certificate specifically for the customer, however, these certificates cannot be shared with the customer.
Do not delete certificates after expiry
Luware do not delete certificates after they expire. Uploaded encrypted files will not be re-encrypted with the new certificate after the certificate expires as the files will be under retention on the Azure Storage Account.
Luware highly recommends generated certificates are permanently stored in a secure location such as an Azure Key Vault. If the encryption certificate is permanently deleted, the files are not retrievable.
To find out more about how Luware securely store certificates, read our Luware Recording Security Whitepaper.
Customers or partners will have their own internal methods for generating certificates, therefore, we recommend you raise a request internally for certificate generation.
The certificate requirements are as follows:
Property | Value |
Public Certificate Required | No |
Certificate Subject | Customers choice |
Subject Alternative Name | Customers choice |
Public Key RSA | 512, 1024, 2048 (Recommended)*, 4096 |
Signature Algorithm | SHA-256 (Recommended)*, SHA-512 |
Validity | 1 year minimum |
Certificate Chain Required | No |
Private Key Included | Yes |
Private Key Exportable | Yes |
Certificate bundle file format | .pem, pfx |
Delete certificate after expiry | Never delete (Store in a Key Vault permanently)** |
* Increasing the size of the key and/or signature algorithm may lead to delays in decryption for actions such as playback, exports and API requests.
** Do not delete encryption certificates after they expire. The files uploaded to the Azure Storage Account will not be re-encrypted with a new certificate when its replaced as they will be locked under retention. Files that are encrypted when a certificate is deleted cannot be decrypted.
10. Securely share the certificate with Luware
Luware Support
INC Luware Support Address
Website https://luware.com/support/ Helpdesk https://helpdesk.luware.cloud Servi
Luware Website | https://luware.com/support/ |
---|---|
Luware Helpdesk | https://helpdesk.luware.cloud |
Cloud Service Status | https://status.luware.cloud/ |