Of the following two options...
Silverlight app talks directly to Azure Tables
Silverlight app talks to Web Role using WCF and that Web Role accesses Azure Tables
Which are possible? Which is the recommend approach?
Of the following two options...
Silverlight app talks directly to Azure Tables
Silverlight app talks to Web Role using WCF and that Web Role accesses Azure Tables
Which are possible? Which is the recommend approach?
The only possible approach is #2. Silverlight cannot connect directly to any database. If I were you I would also look at RIA Services, but I am not sure exactly how well RIA Services and Azure Tables will play together. You would have to map the stuff in your azure tables to entities which are then sent over the wire through RIA Services. I think either solution (RIA Services or straight-up WCF) can be considered best practice.
Both approaches are possible. For approach #1 (Silverlight direct access): Azure table storage is accessed via REST API calls, which you can access from an out-of-browser Silverlight app with elevated permissions, without worrying about cross-domain issues. However, this has risk, as you'd be embedding the certificate into your Silverlight app (so you'd want to use a Shared Access Signature).
See this MSDN post on this topic as well.
So, as Henrik said, a good practice is to go through a service tier. I'd absolutely recommend approach #2 and avoid all risk associated with local keys. But... I just wanted to clarify that you can go with direct calls from Silverlight.