Many Azure services have very granular, layered controls for access. One of the more powerful controls is selecting which networks can access a service. For Azure storage accounts, access can be granted to a specific list of networks. In this post, I’m going to show how you can secure an Azure storage account to specific networks.

By default, Azure storage accounts are permitted to be accessible from all networks. This is shown in the figure below:

While it works from everywhere with the right authentication – access from everywhere is not ideal.

I am going to add an Internet IP address, which for this storage account is going to a lab for this data to into the storage account (as blobs). The figure below shows one address added:

Let’s get granular, by IP.

External Internet access is an important step to access Azure storage accounts from the on-premises world, but it is important to consider access within Azure. Storage accounts can also be configured for access from virtual networks in an Azure subscription. I have one virtual network, rwv0useast0virtualnetwork4, that I would also like to provision access to this storage account.

The figure below shows the rwv0useast0virtualnetwork4 virtual network being enabled for access to this storage account:

Virtual networks in Azure can play too, if they have the golden ticket here.

There are a few important considerations for this access, however. The first is that the virtual network must have an Azure Service Endpoint associated with it from the storage account perspective. This will ensure that the storage account’s security configuration in regards to the network access will apply correctly to the virtual network in Azure. Also make sure that the subnet is associated with a network security group (or you will get a warning in Azure Advisor later!) This configuration is shown below:

You can set the storage account access with the granularity you need.

After this is configured, it does can up to 15 minutes for the association to be fully set in the storage administration view. So, if you do enable this type of access set it up and then make sure all of the configuration looks right.

In this example, I’ve added two IP addresses for public Internet access as well as one virtual network. Now would be a good time for me to test application access for the public IP addresses. And after that configuration has set, now would be a good time to re-run Azure Advisor recommendations and check Azure Security Center to see if any configuration change has made unforeseen changes to other services. My “can’t emphasize this enough” tip of the day is to start and end every login into the Azure portal at the Azure Advisor to see if your changes of the day caused any unforeseen recommendation changes, especially as the best practices and service capabilities continue to change, impacting the recommendations.

Have you set network access for Azure storage accounts? If so, what are the steps you have done if different? Share your comments below.

Advertisements