Configuring Windows Azure Connection Strings
Updated: November 22, 2010
A connection string contains the parameters that are necessary to access your storage account in Windows Azure. You can configure a connection string in the following ways:
Connect to the Windows Azure storage emulator while you are locally testing your service or application.
Connect to a storage account in Windows Azure by using the default endpoints for the storage services.
Connect to a storage account in Windows Azure by using explicit endpoints for the storage services.
If you access the Windows Azure storage services from code within your service, you can specify one or more configuration settings that contain connection strings. The Application Development includes members for reading configuration setting values. If you specify a connection string within a configuration setting, you can easily modify it to point to a different storage account or to use different credentials, without redeploying your service.
Storing connection strings as configuration settings is a convenience, but you can choose to track them in another manner if you wish. If you are accessing the storage services from code that is not running in Windows Azure, then you might store connection strings in an app.config file or another configuration file.
|The Windows Azure Tools also provide a user interface for creating configuration settings that contain connection strings. These tools are available from the Properties pages for the web role and the worker role. For more information, see Configuring the Windows Azure Application with Visual Studio.|
Connecting to the storage emulator
The storage emulator is a local account with a well-known name and key. Since the account name and key are the same for all users, you can use a shortcut string format to refer to the storage emulator within a connection string. Set the value of the connection string to
You can also specify an HTTP proxy to use when you're testing your service against the storage emulator. This can be useful for observing HTTP requests and responses while you're debugging operations against the storage services. To specify a proxy, add the
DevelopmentStorageProxyUri option to the connection string, and set its value to the proxy URI. For example, here is a connection string that points to the storage emulator and configures an HTTP proxy:
Connecting to a storage account in Windows Azure
You can define a connection string to a storage account in Windows Azure in one of the following ways:
Assume the default endpoints for the storage services. This is the simplest option for creating a connection string. When you use this connection string format, you need to specify only your account name and account key, and indicate whether to connect to your storage account through HTTP or HTTPS.
Specify explicit endpoints for the storage services. This option allows you to create a more complex connection string. When you use this string format, you can specify storage service endpoints that include a custom domain name, or minimize information exposure for a shared access signature-based connection string.
|The Windows Azure storage services support both HTTP and HTTPS; however, using HTTPS is highly recommended.|
Creating a Connection String with default endpoints
To create a connection string that relies on the default endpoints for the storage service, use the following connection string format. Indicate whether you want to connect to the storage account through HTTP or HTTPS, replace
myAccountName with the name of your storage account, replace
myAccountKey with your account access key:
For example, your connection string should look similar to the following sample connection string:
You can locate your account access key by viewing the properties for your storage account in the Windows Azure Management Portal.
Creating a connection string with explicit endpoints
You may want to explicitly specify the service endpoints in your connection string for the following reasons:
You have registered a custom domain name for your storage account with the Blob service.
You want to grant access only to blob resources in a single container, through a shared access signature.
Specifying a blob endpoint with a custom domain name
If you have registered a custom domain name for use with the Blob service, you may want to explicitly configure the blob endpoint in your connection string. The endpoint value that is listed in the connection string is used to construct the request URIs to the Blob service, and it dictates the form of any URIs that are returned to your code.
To create a connection string that specifies explicit endpoints, specify the complete service endpoint for each service, including the protocol specification (HTTP or HTTPS) by using the following format:
When you explicitly specify service endpoints, you have two options for specifying credentials. You can specify the account name and key (AccountName=myAccountName;AccountKey=myAccountKey), as shown in the previous section, or you can specify a shared access signature, as shown in the Specifying a blob endpoint with a shared access signature section. If you are specifying the account name and key, the complete string format is:
You can specify endpoints for blob, table, and queue in a connection string. You must specify at least one endpoint, but you do not need to specify all three. For example, if you're creating a connection string for use with a custom blob endpoint, specifying the queue and table endpoints is optional. If you do not specify the queue and table endpoints, you cannot access the Queue and Table services from your code by using that connection string.
Specifying a blob endpoint with a shared access signature
You can create a connection string with explicit endpoints to permit your service to access blob resources in a single container. In this case, you can specify a shared access signature for the container as part of the connection string, rather than the account name and key credentials. The shared access signature encapsulates information about the container to be accessed, the period of time for which it is available, and the permissions being granted. It can be used to authenticate requests against that container. For more information about shared access signatures, see Delegating Access with a Shared Access Signature (REST API).
To create a connection string that includes a shared access signature, specify the string in the following format:
The blob endpoint can be the default Blob service endpoint or a custom endpoint. The
base64Signature corresponds to the signature portion of a shared access signature. The signature is an HMAC computed over a valid string-to-sign and key using the SHA256 algorithm, the result is then Base64-encoded.
Shared access signatures are valid only for Blob service resources (a specific container and the blobs it contains). A connection string that incorporates a shared access signature should not include endpoints for the Queue and Table services because these must be authenticated by using the account name and key. It is recommended that you create a separate connection string for queue and table resources.