Is it possible to use an IP group with Azure storage container whitelisting?

Paraytset 5 Reputation points
2023-07-26T21:02:16.13+00:00

Greetings, community. I'm setting up a storage account that will be restricted to whitelisted public IPs. I only see the option to add IP addresses one at a time without any details about them, though.

User's image

Rather than add individual IPs, I'd like to have a group or something that enables me to add several external public IPs together and have information about them (e.g., IP x belongs to Jane Doe with company A).

Anyone know if this is possible/how to achieve this?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,702 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  2. Sumarigo-MSFT 43,801 Reputation points Microsoft Employee
    2023-08-01T05:43:20.03+00:00

    @Paraytset Welcome to Microsoft Q&A Forum, Thank you for posting your Query here!

    Apologies for the delay response!

    For better understanding the issue : Do you want to enable for "VMs in Azure with Service EndPoint"?

    Are you looking for IP Groups in Azure Firewall in Azure Storage account? I

    Yes, you can achieve the desired functionality by using Azure Application Security Groups (ASGs) in combination with Network Security Groups (NSGs) for your storage account in Microsoft Azure.

    Application Security Groups (ASGs) allow you to group multiple IP addresses together based on certain criteria. They provide a way to simplify network security rules by using named groups rather than individual IP addresses. By using ASGs, you can also add information about each IP, such as ownership and company, as you mentioned.

    Here's a step-by-step guide on how to set up this configuration:

    Step 1: Create Application Security Groups (ASGs)

    1. Go to the Azure portal and navigate to the "Networking" section.
    2. Click on "Application security groups."
    3. Create a new ASG and give it a name (e.g., "CompanyA-ASG").

    Step 2: Add IP addresses to the Application Security Group

    1. After creating the ASG, click on it to open its details page.
    2. Under "Settings," click on "IP configurations."
    3. Click on "Add IP configuration" and enter the details for each IP address, including the ownership and company information for each one.
    4. Repeat this step for each IP address you want to include in the ASG.

    Step 3: Create Network Security Groups (NSGs)

    1. Go back to the "Networking" section in the Azure portal.
    2. Click on "Network security groups."
    3. Create a new NSG and give it a name (e.g., "CompanyA-NSG").

    Step 4: Add inbound security rules using the Application Security Group

    1. After creating the NSG, click on it to open its details page.
    2. Under "Settings," click on "Inbound security rules."
    3. Click on "Add inbound security rule."
    4. Fill in the rule details, and in the "Source" field, select "Application security group" and choose the previously created "CompanyA-ASG."
    5. Configure other rule properties as per your requirements.
    6. Repeat this step for each rule you want to add.

    Step 5: Associate the Network Security Group with your Storage Account

    1. Navigate to your storage account in the Azure portal.
    2. In the left-hand menu, click on "Firewalls and virtual networks."
    3. Under "Virtual networks," click on "Selected networks."
    4. Click on "Add existing virtual network" and choose the virtual network where you have the NSG attached.

    By following these steps, you'll have a Network Security Group with inbound rules based on an Application Security Group, which contains multiple IP addresses along with their corresponding information like ownership and company details. This configuration will restrict access to your storage account only to the IP addresses specified in the Application Security Group.

    Please let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.