Recently, when building content for one of my upcoming courses, Microsoft Azure Architect Technologies – Exam AZ-300, I found the Microsoft documentation wasn’t immediately clear on the exclusivity of Storage Account Firewalls, and Service Endpoints. Show
Do I need to use them together, or can they used completely independent of one another? As always, once we take a look under the hood, and with the help of a test environment, it becomes much more clear just how things actually work. This article shares some of the key lessons I learnt along the way on such a journey. Do I need to use Service Endpoints and the Storage Firewall together?When configuring Storage Account Firewalls, we don’t have to configure a Service Endpoint. Similarly, when we configure a Service Endpoint for storage, it doesn’t require a Storage Firewall rule for the secure/private connectivity to work. These are two complementary features. Let’s take a closer look at why. Service EndpointsIf we start with Service Endpoints, it helps to understand that this is actually a property of a virtual network. Here is how we could configure it:
Now what we have actually done, is enabled a new default route via the Microsoft backbone; avoiding the public Internet entirely. If you had a NIC in that subnet and looked at effective routes, you would see something like this: This means that devices attached to subnet 1 no longer traverse the public internet to get to Microsoft storage.
Storage Account FirewallsNext, let’s say we want to protect a Storage Account at the network layer. More specifically, we wanted to restrict access to a specific Storage Account, and only allow trusted IPs. We could do this using Storage Account Firewalls. Here is an example of how we could configure this:
When we enable the Firewall, the first change to the Storage Account configuration, is the addition of a default “deny” rule. This can be seen better through Resource Explorer (https://resources.azure.com): Nothing is allowed to access the Storage Account, except either services we exempt, or IP addresses we whitelist. Also, note that we cannot whitelist private IP addresses, only public ones.
Should we use one or both features?The default deny rule is why the two features can sometimes sound like they are both required to be enabled concurrently. If we do enable the Storage Account Firewall, and still wish for resources within a VNet to have access, then we have two options:
However, there is nothing stopping us from using either of the services, by themselves. We can use the Service Endpoint, just for optimized routing, or we could utilizing the Storage Firewall by itself to lockdown network access.
If you are looking for more info, feel free to reach out to me in the community, social media, or check out the AZ-300 course recently released in preview. The new AZ-300 Azure Architect Technologies course covers this, and much more. As always, folks, I hope this helps! What should you use to prevent traffic from an Azure virtual network from being routed az900?You can restrict traffic to multiple virtual networks with a single Azure firewall. Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources.
What allows you to secure Azure storage data traffic when it is transmitted across networks?Encryption in transit is a mechanism of protecting data when it is transmitted across networks. With Azure Storage, you can secure data using: Transport-level encryption, such as HTTPS when you transfer data into or out of Azure Storage.
How do I restrict access to Azure storage?From the Azure portal, browse to storage account->Settings->Firewalls and virtual networks. By default, access will be set to “All networks.” Change this setting to “Selected networks” and click on “Add existing virtual network” to restrict access to Azure endpoints.
What is the best way of protecting an Azure virtual network subnet?In this article. Use strong network controls.. Logically segment subnets.. Adopt a Zero Trust approach.. Control routing behavior.. Use virtual network appliances.. Deploy perimeter networks for security zones.. Avoid exposure to the internet with dedicated WAN links.. Optimize uptime and performance.. |