Configuring Azure Virtual Network Access
Azure Storage offer s a layered security model. This model enables you to secure and control the level of access to your storage accounts that your applications and enterprise environments demand, based on the type and subset of networks used. When network rules are configured, only applications requesting data over the specified set of networks can access a storage account. You can limit access to your storage account to requests originating from specified IP addresses, IP ranges or from a list of subnets in an Azure Virtual Network (VNet).
Storage accounts have a public endpoint that is accessible through the internet. You can also create Private Endpoints for your storage account, which assigns a private IP address from your VNet to the storage account, and secures all traffic between your VNet and the storage account over a private link. The Azure storage firewall provides access control access for the public endpoint of your storage account. You can also use the firewall to block all access through the public endpoint when using private endpoints. Your storage firewall configuration also enables select trusted Azure platform services to access the storage account securely.
An application that accesses a storage account when network rules are in effect still requires proper authorization for the request. Authorization is supported with Azure Active Directory (Azure AD) credentials for blobs and queues, with a valid account access key, or with an SAS token.
Turning on firewall rules for your storage account blocks incoming requests for data by default, unless the requests originate from a service operating within an Azure Virtual Network (VNet) or from allowed public IP addresses. Requests that are blocked include those from other Azure services, from the Azure portal, from logging and metrics services, and so on.
You can grant access to Azure services that operate from within a VNet by allowing traffic from the subnet hosting the service instance. You can also enable a limited number of scenarios through the Exceptions mechanism described below. To access data from the storage account through the Azure portal, you would need to be on a machine within the trusted boundary (either IP or VNet) that you set up.
Managing Default Virtual Network Access Rules
You can manage default network access rules for storage accounts through the Azure portal, PowerShell, or CLIv2.
Azure portal
- Go to the storage account you want to secure.
- Click on the settings menu called Firewalls and virtual networks.
- To deny access by default, choose to allow access from Selected networks. To allow traffic from all networks, choose to allow access from All networks.
- Click Save to apply your changes.
PowerShell
- Install the Azure PowerShell and sign in.
- Display the status of the default rule for the storage account.
(Get-AzStorageAccountNetworkRuleSet -ResourceGroupName “myresourcegroup” -AccountName “mystorageaccount”).DefaultAction
- Set the default rule to deny network access by default.
Update-AzStorageAccountNetworkRuleSet -ResourceGroupName “myresourcegroup” -Name “mystorageaccount” -DefaultAction Deny
- Set the default rule to allow network access by default.
Update-AzStorageAccountNetworkRuleSet -ResourceGroupName “myresourcegroup” -Name “mystorageaccount” -DefaultAction Allow
CLIv2
Install the Azure CLI and sign in.
- Display the status of the default rule for the storage account.
az storage account show –resource-group “myresourcegroup” –name “mystorageaccount” –query networkRuleSet.defaultAction
- Set the default rule to deny network access by default.
az storage account update –resource-group “myresourcegroup” –name “mystorageaccount” –default-action Deny
- Set the default rule to allow network access by default.
az storage account update –resource-group “myresourcegroup” –name “mystorageaccount”
Reference: Microsoft Documentation