Private Storage Links

April 2024

What’s changing

MK.IO now supports connections to your own Azure Storage Accounts using a private network link. Within MK.IO, your content is always securely stored in a storage account that you control. With Private Storage Link, your storage traffic will transit a network firewall that restricts access to known, pre-approved connections.

Who is impacted

API Users — to use a private storage link, you will need to create a new storage resource and authorize the connection in the customer storage account.

Why you would use this / Why it matters

You probably have high-value content and specific contractual obligations related to your content that require you to take measures against content exfiltration. This feature provides an additional layer of security on top of your content for added assurance in the event of specific security events.

The connections between MK.IO and your storage are secured in several ways already. All network traffic between MK.IO and storage is encrypted by default, preventing interception as video data moves through the network. Additionally, MK.IO authenticates to storage using a SAS token, ensuring that the connection is allowed within the storage account.

Private links create an extra layer of security in the form of a network tunnel, or firewall, between MK.IO and the your account. This level of additional defense in depth helps to reduce the probability of content exfiltration in the event that a storage account is misconfigured or a SAS token is compromised.

Additional details

The private storage connection requires mutual configuration between MK.IO and the your storage account. Before the mutual configuration is completed, requests made by MK.IO to the storage account will time out and fail.

Getting started

To enable this capability, you must create a storage account resource that provides the following information:

  • The ID of the Azure subscription hosting the storage account
  • The name of the resource group containing the storage account
  • The name of the storage account
  • A message that will be passed to the owner of the remote resource with the connection request

We recommend creating a new storage account resource for this purpose. If a storage account is edited to enable this feature, all requests to the storage account will fail until the customer has completed mutual configuration within the Azure portal.

MK.IO will use this information to issue a request to your storage account. That request will include the contents of the description field so that you can confirm the request originates from MK.IO and may be approved.

As the owner of the storage account you will have to approve the connection before MK.IO can access the data on the storage.

Once private storage links have been enabled for a storage account, they cannot be removed.

For more details on how to setup a private link to your storage, please look at the following page Setup a Private Storage Link

Availability & rollout plan

This capability is available in all MK regions effective April 22 2024.

Resources

Azure documentation on private endpoints Use private endpoints for Azure Storage

Pricing

☝️

To benefit from this feature you will first need to move to the MK.IO 2024 plan.

Instruction to update your plan available in Update your plan

A fixed monthly fee will be assessed for the activation and maintenance of your private storage link.

Storage traffic over a private link will incur additional charges for ingress (writes tor storage) and egress (reads from storage) traffic. Both inbound and outbound traffic incur charges that will be reflected in your MK.IO invoice.

Private storage pricing is described in detail in the Storage Pricing Table