Configure Azure Storage Firewalls and Virtual Networks
In this tutorial, we will learn and understand about the Azure storage firewalls and virtual networks and how it provides a layered security model.
You may use an Azure storage firewall to safeguard and limit the degree of access to your storage accounts that your apps and corporate environments require. Only apps seeking data via the defined set of networks can have access to a storage account after establishing the network rules. You may, however, restrict requests to your storage account from specific IP addresses or IP ranges.
Furthermore, each storage account has a public endpoint that may be accessed through the internet. To put it another way, you may build Private Endpoints for your storage account, which will give it a private IP address from your VNet. Furthermore, it will use a private link to encrypt all traffic between your VNet and the storage account. The Azure storage firewall grants access control to your storage account’s public endpoint. When employing private endpoints, you may also utilise the firewall to deny all access through the public endpoint.
Scenarios
To secure your storage account, set up a rule on the public endpoint to restrict traffic from all networks (including internet traffic) by default. Then set up rules to allow traffic from specified VNets to pass through. Furthermore, by authorising connections from particular internet, you may establish rules for providing access to traffic from specified public internet IP address ranges.
The Storage firewall rules, on the other hand, may be applied to existing storage accounts. Furthermore, all network protocols to Azure storage, including REST and SMB, are subject to network regulations. Moreover, specific network rules must be established in order to access data using tools like the Azure interface, Storage Explorer, and AZCopy.
Changing the default network access rule
By default, storage accounts accept connections from clients on any network. However, for limiting the access to selected networks, you must first change the default action.
Managing default network access rules
You can manage default network access rules for storage accounts using the Azure portal, PowerShell, or CLIv2.
Azure portal
- Firstly, go to the storage account you want to secure.
- Then, click on the settings menu called Firewalls and virtual networks.
- For denying access by default, choose to allow access from Selected networks. And, for allowing traffic from all networks, choose to allow access from All networks.
- Lastly, click Save to apply your changes.
Granting access from a virtual network
You should know that you can configure storage accounts to allow access only from specific subnets. However, the allowed subnets may belong to a VNet in the same subscription.
Within the VNet, enable a Service endpoint for Azure Storage. The service endpoint does this by routing traffic from the VNet to the Azure Storage service through an efficient path. Administrators can then define network rules for the storage account to allow requests from particular subnets in a VNet to be received. Clients that have been allowed access through these network rules must continue to fulfil the storage account’s permission criteria in order to access the data.
Available virtual network regions
Service endpoints connect virtual networks and service instances in the same Azure region in general. When using Azure Storage with service endpoints, this scope expands to cover the linked region. In addition, the service endpoints provide continuity during a regional failover as well as access to read-only geo-redundant storage (RA-GRS) instances. Furthermore, any RA-GRS instance is granted access by the network rules that permit access from a virtual network to a storage account.
Create the VNets in the paired area in advance when planning for disaster recovery after a regional outage. Then, using network rules enabling access from these alternate virtual networks, enable service endpoints for Azure Storage.
Managing virtual network rules
For managing virtual network rules for storage accounts, use the Azure portal, PowerShell, or CLIv2.
Azure portal
- Firstly, go to the storage account you want to secure.
- Then, click on the settings menu called Firewalls and virtual networks.
- After that, check that you’ve selected to allow access from Selected networks.
- Fourthly, for granting access to a virtual network with a new network rule, under Virtual networks, click Add existing virtual network, select Virtual networks and Subnets options. And then, click Add. However, for creating a new virtual network and granting it access, click Add new virtual network.
- The, for removing a virtual network or subnet rule, click … to open the context menu for the virtual network or subnet, and click Remove.
- Lastly, click Save to apply your changes.
Managing IP network rules
For managing IP network rules for storage accounts, use the Azure portal, PowerShell, or CLIv2.
Azure portal
- Firstly, go to the storage account you want to secure.
- Secondly, click on the settings menu called Firewalls and virtual networks.
- Thirdly, check that you’ve selected to allow access from Selected networks.
- Then, for granting access to an internet IP range, enter the IP address or address range under Firewall > Address Range.
- After that, for removing an IP network rule, click the trash can icon next to the address range.
- Lastly, click Save to apply your changes.
Reference: Microsoft Documentation