An Azure storage account contains all of your Azure Storage data objects, including blobs, file shares, queues, tables, and disks. Data in your storage account is durable and highly available, secure, and massively scalable. A lot more can be learnt about storage accounts in Microsoft Azure documentation.
Securing access to Storage accounts at network layer
You can limit access to your storage account to requests originating from specified IP addresses, IP ranges, subnets in an Azure Virtual Network (VNet), or resource instances of some Azure services. And thats what is the focus of this article.
Azure offers two similar but distinct services to allow virtual network (VNet) resources to privately connect to other Azure services. Azure VNet Service Endpoints and Azure Private Endpoints (powered by Azure Private Link) both promote network security by allowing VNet traffic to communicate with service resources without going over the internet, but there are some differences.
Point to note is that these two secure ways to connect to Azure services are not limited to Azure Storage accounts. We will focus on how to use these services to secure access to Storage accounts in different scenarios.
Lets begin with brief introduction to each way of securing network access to Storage accounts.
A service endpoint allows VNet resources to use private IP addresses to connect to an Azure service’s public endpoint, meaning traffic flows to the service resource over the Azure backbone network — instead of over the internet. In effect, you are extending the identity of the VNet to the service resource. You can then lock down the service resource so it only accepts traffic from the subnet associated with the service endpoint.
Optionally, you can lock down the VNet as well by adding a network security group (NSG) to deny all outbound traffic except to the desired Azure service. With the right configuration, service endpoints enable you to secure service resources to your VNet, providing an extra layer of security.
For example, say you have a virtual machine (VM) in a VNet that needs to communicate with an Azure storage account. You can combine a service endpoint, storage account, and NSG so that traffic from a VM in a private subnet reaches the storage account without hitting the internet, the storage account blocks all traffic unless it’s from that subnet, and the NSG restricts outbound traffic from the subnet to the internet.
Azure Private Link is a service that allows virtual network resources to privately connect to other resources as if they were part of the same network, carrying traffic across the Microsoft Azure backbone instead of the internet.
To take advantage of this service, you create a private endpoint. A private endpoint is a network interface that provides a private IP address to a service that would normally only be accessible to a VNet via public IP address.
For instance, every storage account has a public endpoint that by default is open to clients on any network. With a private endpoint, you can assign the storage account a private IP address from a VNet, and a virtual machine (VM) in that VNet can access the storage account without going over the internet. This is powerful because it means you don’t need to use public IP addresses, either at the traffic source or destination. It’s as if you’re bringing the storage account inside the VNet.
Few common use cases
There can be N number of scenarios and we have limited ourselves to discuss few common ones. Here are 4 use cases to see what is the best solution for which scenario.
For restricting Storage account access to Private network, make sure access over internet is turned off . This setting is under “networking” of Storage account. We can switch off the public IP access by selecting “Selected Networks” and saving.
Assume that you need to enable the network access to Storage account A for Private Subnet (deafult) in virtual Network vnet-spok1 only. In such a case, you can enable service endpoint for this particular subnet (deafult) and that would allow private connections to Storage account from resources in subnet deafult.
If required, we can add subnethub1 of vnet-hub1 to selected networks and private connection from resources in subnethub1 will also be allowed to Storage account A.
The subnets in virtual networks within same region (that of storage account) can be added to “Selected networks” under “Firewall and virtual networks”, so Service endpoints can be used with subnets within same region (with or without vnet peering).
Assume that Virtual Network (vnet-hub1) in Region A has peering connection with Virtual Network in Region B (vnet-spoke3)
Hmmm…We see that we can add the subnet from Virtual Network in Region B (vnet-spoke3 ) as well in “Selected networks” under “Firewall and virtual networks”, that is because it has a peering connection with Virtual Network in Region A (vnet-hub1).
So that means we can add subnets in virtual networks in region same as that of Storage account to “Select networks” plus we can add subnets in virtual networks which have peering connection to virtual networks (even if this virtual network is not in “selected networks”) in region same as that of Storage account.
Assume your users who connect to the azure virtual network need access to Storage account A. Users have privileges to connect using Point to Site VPN.
Since Users` end devices have private IPs which are part of the VPN address space and are not part of any Virtual Network address space, its not possible to avail the service endpoint feature in this case.
Users` P2S VPN connection goes through VPN Gateway subnet, we can create a private endpoint in a subnet (subnethub1) which is part of the virtual network having Gateway subnet. So Storage account will be assigned a Private IP in subnet subnethub1 of Virtual network vnet-hub1. Default routes allow the traffic to flow freely within Azure Virtual network and we can use that in conjunction with private endpoint to provide storage account access to P2S VPN users.
Any subnet in a virtual network peered with the Virtual network having private endpoint, can use that private endpoint to connect to the storage account.
What if the storage account was in Region B as per diagram above (private endpoint diag1)?
On premise network and Virtual network vnet-hub1 are connected via site to site VPN, and we need to make sure the resources in virtual network vnet-spoke2 can access Storage account A.
We can leverage the same Private endpoint we created in last example to make this work. Reason being that private endpoint is in vnet-hub1 and VPN traffic, whether that is Point to Site VPN or Site to Site VPN is flowing through Gateway Subnet of Virtual network vnet-hub1 and that allows us to provide access to on-premise resources.
Things to know before you use service endpoints
A few tips to keep in mind about service endpoints:
Things to know before you use private endpoints
When should you use which?
Whether you use a service endpoint or private endpoint depends largely on the particulars of your use case.
Ultimately, as with all things network security, the endpoint type you choose is up to you and your specific use case.