Azure backbone network traffic allow access to storage account

Question

Hi,

We should allow access to storage account from Dynamics 365 Microsoft managed environment, the access must be granted to blob storage account.

The problem is when we try to access storage account in same Azure region the connection from Dynamics 365 Microsoft managed environment going to storage account directly using Azure backbone, if we have firewall enabled on the storage account, we can't allow traffic using rules to whitelist "Azure backbone" IP's because they are private.

Is it any other solution to whitelist traffic from Dynamics 365 Microsoft managed environment to storage account?

Answer 1

Hi Vladimiras Jakovlevas - Thanks for reaching out over Q&A Forum.

Yes, if the client (herein D365) and the storage account are in same region, the calls shall flow via internal backbone which will have Private IP's. Since that can't be whitelisted, the call might tend to fail with IP Authorization errors.

One of the suggestion is the have client part of a VNET (if feasible) and then whitelist the VNET on the storage account level.

https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal#trusted-access-for-resources-registered-in-your-subscription

Please let us know if you have any further queries. I’m happy to assist you further.    

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Yes VNET should be fine, but I can't define VNET for the Microsoft managed D365 environment, any other ideas?

Answer 3

Hello Vladimiras Jakovlevas,

Greetings! Welcome to Microsoft Q&A Platform.

To allow access from a Dynamics 365 Microsoft managed environment to an Azure Blob Storage account, especially when dealing with firewall restrictions and private IPs, you can consider using Azure Private Link. Azure Private Link provides private connectivity from a virtual network to Azure services like Azure Storage, effectively bringing the service into your private network.

Azure Storage provides a layered security model. This model enables you to control the level of access to your storage accounts that your applications and enterprise environments demand, based on the type and subset of networks or resources that you use.

A best approach to achieve this is by creating a Private Endpoint for your Azure Storage account, which assigns a private IP address from your virtual network to the storage account then configure the DNS to ensure that the private endpoint is properly resolved within your Dynamics 365 environment. Update your firewall rules to allow traffic from the private endpoint associated with your Dynamics 365 environment.

By doing this, you can ensure that the traffic from Dynamics 365 to the Azure Storage account stays within the Azure network, bypassing the need to whitelist Azure backbone IPs. This method also enhances security by keeping data transfer off the public internet.

refer - https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal for detailed guidance.

Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.

---

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.