Store Vulnerability Assessment scan results in a storage account accessible behind firewalls and VNets

APPLIES TO: Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics

If you are limiting access to your storage account in Azure for certain VNets or services, you'll need to enable the appropriate configuration so that Vulnerability Assessment (VA) scanning for SQL Databases or Managed Instances have access to that storage account.

Prerequisites

The SQL Vulnerability Assessment service needs permission to the storage account to save baseline and scan results. There are three methods:

  • Use Storage Account key: Azure creates the SAS key and saves it (though we don't save the account key)
  • Use Storage SAS key: The SAS key must have: Write | List | Read | Delete permissions
  • Use SQL Server managed identity: The SQL Server must have a managed identity. The storage account must have a role assignment for the SQL Managed Identity as Storage Blob Data Contributor. When you apply the settings, the VA fields storageContainerSasKey and storageAccountAccessKey must be empty. When storage is behind a firewall or virtual network, then the SQL managed identity is required.

When you use the Azure portal to save SQL VA settings, Azure checks if you have permission to assign a new role assignment for the managed identity as Storage Blob Data Contributor on the storage. If permissions are assigned, Azure uses SQL Server managed identity, otherwise Azure uses the key method.

Enable Azure SQL Database VA scanning access to the storage account

If you have configured your VA storage account to only be accessible by certain networks or services, you'll need to ensure that VA scans for your Azure SQL Database are able to store the scans on the storage account. You can use the existing storage account, or create a new storage account to store VA scan results for all databases on your logical SQL server.

Note

The vulnerability assessment service can't access storage accounts protected with firewalls or VNets if they require storage access keys.

Go to your Resource group that contains the storage account and access the Storage account pane. Under Settings, select Firewall and virtual networks.

Ensure that Allow trusted Microsoft services access to this storage account is checked.

Screenshot shows Firewall and virtual networks dialog box, with Allow trusted Microsoft services to access this storage account selected.

To find out which storage account is being used, go to your SQL server pane in the Azure portal, under Security, and then select Defender for Cloud.

set up vulnerability assessment

Note

You can set up email alerts to notify users in your organization to view or access the scan reports. To do this, ensure that you have SQL Security Manager and Storage Blob Data Reader permissions.

Store VA scan results for Azure SQL Managed Instance in a storage account that can be accessed behind a firewall or VNet

Since Managed Instance is not a trusted Microsoft Service and has a different VNet from the storage account, executing a VA scan will result in an error.

To support VA scans on Managed Instances, follow the below steps:

  1. In the SQL managed instance pane, under the Overview heading, click the Virtual network/subnet link. This takes you to the Virtual network pane.

    mi-overview2

  2. Under Settings, select Subnets. Click Subnet in the new pane to add a subnet, and delegate it to Microsoft.Sql\managedInstance. For more information, see Manage subnets.

    Screenshot shows a subnet that has been delegated Microsoft.sql\managedInstance.

  3. In your Virtual network pane, under Settings, select Service endpoints. Click Add in the new pane, and add the Microsoft.Storage Service as a new service endpoint. Make sure the ManagedInstance Subnet is selected. Click Add.

    Screenshot shows Add service endpoints, where you add the Microsoft.Storage Service as an endpoint.

  4. Go to your Storage account that you've selected to store your VA scans. Under Settings, select Firewall and virtual networks. Click on Add existing virtual network. Select your managed instance virtual network and subnet, and click Add.

    Screenshot shows the Firewalls and virtual networks pane, which contains the Add existing virtual network link.

You should now be able to store your VA scans for Managed Instances in your storage account.

Troubleshoot common issues related to vulnerability assessment scans.

Failure to save vulnerability assessment settings

You might not be able to save changes to vulnerability assessment settings if your storage account doesn't meet some prerequisites or if you have insufficient permissions.

Storage account requirements

The storage account in which vulnerability assessment scan results are saved must meet the following requirements:

  • Type: StorageV2 (General Purpose V2) or Storage (General Purpose V1)
  • Performance: Standard (only)
  • Region: The storage must be in the same region as the instance of Azure SQL Server.

If any of these requirements aren't met, saving changes to vulnerability assessment settings fails.

Permissions

The following permissions are required to save changes to vulnerability assessment settings:

  • SQL Security Manager
  • Storage Blob Data Reader
  • Owner role on the storage account

Setting a new role assignment requires owner or user administrator access to the storage account and the following permissions:

  • Storage Blob Data Owner

Storage account isn't visible for selection in vulnerability assessment settings

The storage account might not appear in the storage account picker for several reasons:

  • The storage account you're looking for isn't in the selected subscription.
  • The storage account you're looking for isn't in the same region as the instance of Azure SQL Server.
  • You don't have Microsoft.Storage/storageAccounts/read permissions on the storage account.

You might not be able to open a link in a notification email about scan results or to view scan results if you don't have the required permissions or if you use a browser that doesn't support opening or displaying scan results.

Permissions

The following permissions are required to open links in email notifications about scan results or to view scan results:

  • SQL Security Manager
  • Storage Blob Data Reader

Browser requirements

The Firefox browser doesn't support opening or displaying scan results view. We recommend that you use Chrome or Microsoft Edge to view vulnerability assessment scan results.

Next steps