question

pallab avatar image
0 Votes"
pallab asked deherman-MSFT commented

Firewall and Virtual Network Settings for Storage Account with a Pvt Link Connection

I have a query. I have configured a Storage Account with a Pvt Link in my subscription.

If you have a Storage Account configured with Pvt Link, i believe you don't need to configure Firewall access in that case? Is that correct? Right now based on my ARM Template below, i have the setting in my storage account as shown in the screenshot. Do i need to ensure that "Allow Access From" is set to "Selected Networks" ?

 !["resources": [
         {
             "type": "Microsoft.Storage/storageAccounts",
             "apiVersion": "2021-01-01",
             "name"    : "[variables('blobstorageAccountName')]",
             "location": "[parameters('location')]",
             "sku": {
                 "name": "[parameters('storageAccountType')]"
             },
             "kind": "StorageV2",
             "properties": {
                 "minimumTlsVersion"     : "TLS1_2",
                 "allowBlobPublicAccess" : false
             }
         },
         {
             "type"      : "Microsoft.Network/privateDnsZones/virtualNetworkLinks",
             "apiVersion": "2018-09-01",
             "name"      : "[concat(variables('blobPrivateDNSZoneName'), '/link_to_', toLower(parameters('vnetName')))]",
             "location"  : "global",
             "dependsOn" : [
                 "[variables('blobPrivateDnsZoneId')]"
             ],
             "properties" : {
                 "registrationEnabled" : false,
                 "virtualNetwork"      : {
                     "id"              : "[variables('vnetId')]"
                 }
             }
         },
         {
             "type"       : "Microsoft.Network/privateEndpoints",
             "apiVersion" : "2020-04-01",
             "name"       : "[variables('blobStorageAccountPrivateEndpointName')]",
             "location"   : "[resourceGroup().location]",
             "dependsOn"  : [
                 "[variables('blobStorageAccountId')]"
             ],
             "properties" : {
                 "privateLinkServiceConnections" : [
                     {
                       "name" : "parameters('blobStorageAccountPrivateEndpointName')",
                       "properties" : { 
                             "privateLinkServiceId"  : "[variables('blobStorageAccountId')]",
                             "groupIds"              :  ["blob"]
                         }
                     }
                 ],
                 "subnet" :{
                     "id" : "[variables('subnetId')]"
                 },
                 "customDnsConfigs" : [
                     {
                         "fqdn"     : "[concat(variables('blobStorageAccountName'),variables('blobPublicDNSZoneForwarder'))]"
                     }
                 ]
             }
         },
         {
             "type"       : "Microsoft.Network/privateDnsZones",
             "apiVersion" : "2018-09-01",
             "name"       : "[variables('blobPrivateDNSZoneName')]",
             "location"   : "global",
             "properties" : {
                 "maxNumberOfRecordSets"                            : 25000,
                 "maxNumberOfVirtualNetworkLinks"                   : 1000,
                 "maxNumberOfVirtualNetworkLinksWithRegistration"   : 100
             }
         },
         {
             "type"       : "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
             "apiVersion" : "2020-03-01",
             "name"       : "[variables('blobPrivateDnsZoneGroup')]",
             "location"   : "[resourceGroup().location]",
             "dependsOn"  : [
                 "[variables('blobPrivateDnsZoneId')]",
                 "[variables('blobStorageAccountPrivateEndpointId')]"
             ],
             "properties"  : {
                 "privateDnsZoneConfigs" :[
                     {
                         "name"       : "dnsConfig",
                         "properties" : {
                             "privateDnsZoneId" : "[variables('blobPrivateDnsZoneId')]"
                         }
                     }
                 ]
             }
         },
         {
             "type": "Microsoft.Storage/storageAccounts/blobServices",
             "apiVersion": "2021-01-01",
             "name"      :"[tolower(concat(variables('blobstorageaccountname'), '/default'))]",
             "dependsOn": [
               "[resourceId('Microsoft.Storage/storageAccounts', variables('blobstorageAccountName'))]"
             ],
             "properties": {
                 "isVersioningEnabled"   : true,
                 "deleteRetentionPolicy" : {
                     "enabled" :  true,
                     "days"    :  30
                 },
                 "changeFeed"  : {
                     "enabled"        : true
                 },
                 "containerDeleteRetentionPolicy" :{
                     "enabled" : true,
                     "days"    : 30
                 }
             }
         },
         {
             "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
             "apiVersion": "2021-01-01",
             "name": "[concat(variables('blobstorageAccountName'), '/default/', parameters('containerPrefix'), copyIndex())]",
             "copy": {
                 "name": "containercopy",
                 "count": 2
             },
             "dependsOn": [
               "[resourceId('Microsoft.Storage/storageAccounts', variables('blobstorageAccountName'))]"
             ] 
         }
     ],][1]


[1]: /answers/storage/attachments/100664-screenshot.jpg



Appreciate a quick reply

azure-storage-accountsazure-virtual-network
screenshot.jpg (50.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

deherman-MSFT avatar image
0 Votes"
deherman-MSFT answered deherman-MSFT commented

@pallab
Yes, you should set Allow Access From to Selected Networks to disable access. Storage accounts have a public endpoint that is accessible through the internet. You can also create Private Endpoints for your storage account, which assigns a private IP address from your VNet to the storage account, and secures all traffic between your VNet and the storage account over a private link. The Azure storage firewall provides access control for the public endpoint of your storage account. You can also use the firewall to block all access through the public endpoint when using private endpoints. Your storage firewall configuration also enables select trusted Azure platform services to access the storage account securely. More information can be found on the Configure Azure Storage firewalls and virtual networks page.

Hope this helps. Let us know if you have further questions or issues.



Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@deherman-MSFT Yes i am using Private Endpoint at the moment now as you can see in my ARM template above.
What i wanted to know is even after using Private Endpoint, do you still need to change the Storage Account setting to "Allow Access from Selected Networks" ? Is that still required. That was what my question was all about

0 Votes 0 ·

@pallab
Yes, it is recommended that you change the firewall to "Allow Access from Selected Networks".

0 Votes 0 ·