Hybrid VPC — Azure Blob Storage

This guide covers setting up Hybrid VPC with Azure Blob Storage as your storage backend. Reducto uses a cross-tenant service principal to read and write documents in your Azure Storage account.

Prerequisites

Azure subscription with permissions to create Storage accounts and role assignments
Terraform 1.2+ with the AzureRM provider (for automated setup)
Values from Reducto (provided during onboarding):
- Reducto’s Azure AD application ID (for cross-tenant access)
- Organization ID for configuration

Architecture

Setup

Terraform (recommended)
Azure Portal (manual)

Reducto provides a Terraform example for Azure setup in the hybrid infrastructure repository.

Clone the infrastructure repository

git clone https://github.com/reductoai-collab/reducto-hybrid-infra.git
cd reducto-hybrid-infra/examples/azure

Create terraform.tfvars

name_prefix       = "reducto"
location          = "eastus"
resource_group_name = "reducto-hybrid-rg"

# Provided by Reducto during onboarding
reducto_service_principal_object_id = "<object-id-from-reducto>"

tags = {
  Environment = "production"
  Project     = "reducto-hybrid"
}

Initialize and apply

terraform init
terraform plan
terraform apply

Share outputs with Reducto

terraform output integration_values

Provide the output values (storage account name, container name, connection string) to your Reducto team.

Create a Storage Account

Go to Azure Portal → Storage Accounts → Create
Configure:
- Performance: Standard
- Redundancy: LRS (or your preferred level)
- Enable hierarchical namespace if needed
Under Networking, set Public network access to your preference
Under Data protection, configure lifecycle management (recommended: 1-day expiry)

Create a Blob Container

Open the new Storage Account
Go to Containers → + Container
Name: reducto-documents
Public access level: Private

Grant Reducto access

Go to Storage Account → Access Control (IAM) → Add role assignment
Role: Storage Blob Data Contributor
Assign access to: User, group, or service principal
Select the Reducto service principal (provided during onboarding)

Generate connection string

Go to Storage Account → Access keys
Copy the Connection string
Share with your Reducto team (securely)

Components provisioned

Component	Purpose	Required
Storage Account	Azure Blob Storage with lifecycle policies	Yes
Blob Container	Container for documents and artifacts	Yes
RBAC Role Assignment	Cross-tenant access for Reducto service principal	Yes
Lifecycle Management Rule	Automatic blob expiry (default: 1 day)	Recommended

Integration Values

After setup, provide these values to Reducto:

Value	Description	Where to find
`storage_account_name`	Storage account name	Azure Portal → Storage Account
`container_name`	Blob container name	Storage Account → Containers
`connection_string`	Storage connection string	Storage Account → Access keys

Data Lifecycle

Configure lifecycle management to automatically delete blobs after processing:

{
  "rules": [
    {
      "name": "auto-expire",
      "type": "Lifecycle",
      "definition": {
        "actions": {
          "baseBlob": {
            "delete": {
              "daysAfterModificationGreaterThan": 1
            }
          }
        },
        "filters": {
          "blobTypes": ["blockBlob"]
        }
      }
    }
  ]
}

Security

Cross-tenant access: Reducto’s service principal is granted only Storage Blob Data Contributor on the specific container
No shared keys required: RBAC-based access is more secure than shared key authentication
Network restrictions: Optionally restrict access to specific IP ranges or virtual networks
Automatic cleanup: Lifecycle management policies ensure no long-term data persistence

Get Started

Developer Tools

Core Functions

Workflows and Pipelines

Configurations

Reference

Components

Enterprise Resources

Security and privacy

On-premise Resources

Hybrid VPC — Azure Blob Storage

Prerequisites

Architecture

Setup

Components provisioned

Integration Values

Data Lifecycle

Security

Get Started

Developer Tools

Core Functions

Workflows and Pipelines

Configurations

Reference

Components

Enterprise Resources

Security and privacy

On-premise Resources

Documentation Index

​Prerequisites

​Architecture

​Setup

​Components provisioned

​Integration Values

​Data Lifecycle

​Security

Prerequisites

Architecture

Setup

Components provisioned

Integration Values

Data Lifecycle

Security