Tutorial: Restrict network access to PaaS resources with virtual network service endpoints using the Azure portal

Virtual network service endpoints enable you to limit network access to some Azure service resources to a virtual network subnet. You can also remove internet access to the resources. Service endpoints provide direct connection from your virtual network to supported Azure services, allowing you to use your virtual network's private address space to access the Azure services. Traffic destined to Azure resources through service endpoints always stays on the Microsoft Azure backbone network.

Diagram of Azure resources created in tutorial.

In this tutorial, you learn how to:

  • Create a virtual network with one subnet
  • Add a subnet and enable a service endpoint
  • Create an Azure resource and allow network access to it from only a subnet
  • Deploy a virtual machine (VM) to each subnet
  • Confirm access to a resource from a subnet
  • Confirm access is denied to a resource from a subnet and the internet

This tutorial uses the Azure portal. You can also complete it using the Azure CLI or PowerShell.

Prerequisites

Sign in to Azure

Sign in to the Azure portal.

Create a virtual network and an Azure Bastion host

The following procedure creates a virtual network with a resource subnet, an Azure Bastion subnet, and a Bastion host:

  1. In the portal, search for and select Virtual networks.

  2. On the Virtual networks page, select + Create.

  3. On the Basics tab of Create virtual network, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select Create new.
    Enter test-rg for the name.
    Select OK.
    Instance details
    Name Enter vnet-1.
    Region Select East US 2.

    Screenshot of the Basics tab for creating a virtual network in the Azure portal.

  4. Select Next to proceed to the Security tab.

  5. In the Azure Bastion section, select Enable Bastion.

    Bastion uses your browser to connect to VMs in your virtual network over Secure Shell (SSH) or Remote Desktop Protocol (RDP) by using their private IP addresses. The VMs don't need public IP addresses, client software, or special configuration. For more information, see What is Azure Bastion?.

    Note

    Hourly pricing starts from the moment that Bastion is deployed, regardless of outbound data usage. For more information, see Pricing and SKUs. If you're deploying Bastion as part of a tutorial or test, we recommend that you delete this resource after you finish using it.

  6. In Azure Bastion, enter or select the following information:

    Setting Value
    Azure Bastion host name Enter bastion.
    Azure Bastion public IP address Select Create a public IP address.
    Enter public-ip-bastion in Name.
    Select OK.

    Screenshot of options for enabling an Azure Bastion host as part of creating a virtual network in the Azure portal.

  7. Select Next to proceed to the IP Addresses tab.

  8. In the address space box in Subnets, select the default subnet.

  9. In Edit subnet, enter or select the following information:

    Setting Value
    Subnet details
    Subnet template Leave the default of Default.
    Name Enter subnet-1.
    Starting address Leave the default of 10.0.0.0.
    Subnet size Leave the default of /24 (256 addresses).

    Screenshot of configuration details for a subnet.

  10. Select Save.

  11. Select Review + create at the bottom of the window. When validation passes, select Create.

Enable a service endpoint

Service endpoints are enabled per service, per subnet.

  1. In the search box at the top of the portal page, search for Virtual network. Select Virtual networks in the search results.

  2. In Virtual networks, select vnet-1.

  3. In the Settings section of vnet-1, select Subnets.

  4. Select + Subnet.

  5. On the Add subnet page, enter or select the following information:

    Setting Value
    Name subnet-private
    Subnet address range Leave the default of 10.0.2.0/24.
    SERVICE ENDPOINTS
    Services Select Microsoft.Storage
  6. Select Save.

Caution

Before enabling a service endpoint for an existing subnet that has resources in it, see Change subnet settings.

Restrict network access for a subnet

By default, all virtual machine instances in a subnet can communicate with any resources. You can limit communication to and from all resources in a subnet by creating a network security group, and associating it to the subnet.

  1. In the search box at the top of the portal page, search for Network security group. Select Network security groups in the search results.

  2. In Network security groups, select + Create.

  3. In the Basics tab of Create network security group, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg.
    Instance details
    Name Enter nsg-storage.
    Region Select East US 2.
  4. Select Review + create, then select Create.

Create outbound NSG rules

  1. In the search box at the top of the portal page, search for Network security group. Select Network security groups in the search results.

  2. Select nsg-storage.

  3. Select Outbound security rules in Settings.

  4. Select + Add.

  5. Create a rule that allows outbound communication to the Azure Storage service. Enter or select the following information in Add outbound security rule:

    Setting Value
    Source Select Service Tag.
    Source service tag Select VirtualNetwork.
    Source port ranges Leave the default of *.
    Destination Select Service Tag.
    Destination service tag Select Storage.
    Service Leave default of Custom.
    Destination port ranges Enter 445.
    SMB protocol is used to connect to a file share created in a later step.
    Protocol Select Any.
    Action Select Allow.
    Priority Leave the default of 100.
    Name Enter allow-storage-all.

    Screenshot of creating an outbound security to access storage.

  6. Select + Add.

  7. Create another outbound security rule that denies communication to the internet. This rule overrides a default rule in all network security groups that allows outbound internet communication. Complete the previous steps with the following values in Add outbound security rule:

    Setting Value
    Source Select Service Tag.
    Source service tag Select VirtualNetwork.
    Source port ranges Leave the default of *.
    Destination Select Service Tag.
    Destination service tag Select Internet.
    Service Leave default of Custom.
    Destination port ranges Enter *.
    Protocol Select Any.
    Action Select Deny.
    Priority Leave the default 110.
    Name Enter deny-internet-all.

    Screenshot of creating an outbound security to block internet access.

  8. Select Add.

Associate the network security group to a subnet

  1. In the search box at the top of the portal page, search for Network security group. Select Network security groups in the search results.

  2. Select nsg-storage.

  3. Select Subnets in Settings.

  4. Select + Associate.

  5. In Associate subnet, select vnet-1 in Virtual network. Select subnet-private in Subnet.

    Screenshot of private subnet associated with network security group.

  6. Select OK.

Restrict network access to a resource

The steps required to restrict network access to resources created through Azure services, which are enabled for service endpoints vary across services. See the documentation for individual services for specific steps for each service. The rest of this tutorial includes steps to restrict network access for an Azure Storage account, as an example.

Create a storage account

Create an Azure Storage account for the steps in this article. If you already have a storage account, you can use it instead.

  1. In the search box at the top of the portal, enter Storage account. Select Storage accounts in the search results.

  2. Select + Create.

  3. On the Basics tab of Create a storage account, enter or select the following information:

    Setting Value
    Project Details
    Subscription Select your Azure subscription.
    Resource Group Select test-rg.
    Instance details
    Storage account name Enter storage1. If the name is unavailable, enter a unique name.
    Location Select (US) East US 2.
    Performance Leave the default Standard.
    Redundancy Select Locally-redundant storage (LRS).
  4. Select Review.

  5. Select Create.

Create a file share in the storage account

  1. In the search box at the top of the portal, enter Storage account. Select Storage accounts in the search results.

  2. In Storage accounts, select the storage account you created in the previous step.

  3. In Data storage, select File shares.

  4. Select + File share.

  5. Enter or select the following information in New file share:

    Setting Value
    Name Enter file-share.
    Tier Leave the default of Transaction optimized.
  6. Select Next: Backup.

  7. Deselect Enable backup.

  8. Select Review + create, then select Create.

Restrict network access to a subnet

By default, storage accounts accept network connections from clients in any network, including the internet. You can restrict network access from the internet, and all other subnets in all virtual networks (except the subnet-private subnet in the vnet-1 virtual network.)

To restrict network access to a subnet:

  1. In the search box at the top of the portal, enter Storage account. Select Storage accounts in the search results.

  2. Select your storage account.

  3. In Security + networking, select Networking.

  4. In the Firewalls and virtual networks tab, select Enabled from selected virtual networks and IP addresses in Public network access.

  5. In Virtual networks, select + Add existing virtual network.

  6. In Add networks, enter or select the following information:

    Setting Value
    Subscription Select your subscription.
    Virtual networks Select vnet-1.
    Subnets Select subnet-private.

    Screenshot of restriction of storage account to the subnet and virtual network created previously.

  7. Select Add.

  8. Select Save to save the virtual network configurations.

    Screenshot of storage account screen and confirmation of subnet restriction.

Create virtual machines

To test network access to a storage account, deploy a virtual machine to each subnet.

Create test virtual machine

The following procedure creates a test virtual machine (VM) named vm-1 in the virtual network.

  1. In the portal, search for and select Virtual machines.

  2. In Virtual machines, select + Create, then Azure virtual machine.

  3. On the Basics tab of Create a virtual machine, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg.
    Instance details
    Virtual machine name Enter vm-1.
    Region Select East US 2.
    Availability options Select No infrastructure redundancy required.
    Security type Leave the default of Standard.
    Image Select Windows Server 2022 Datacenter - x64 Gen2.
    VM architecture Leave the default of x64.
    Size Select a size.
    Administrator account
    Authentication type Select Password.
    Username Enter azureuser.
    Password Enter a password.
    Confirm password Reenter the password.
    Inbound port rules
    Public inbound ports Select None.
  4. Select the Networking tab at the top of the page.

  5. Enter or select the following information in the Networking tab:

    Setting Value
    Network interface
    Virtual network Select vnet-1.
    Subnet Select subnet-1 (10.0.0.0/24).
    Public IP Select None.
    NIC network security group Select Advanced.
    Configure network security group Select Create new.
    Enter nsg-1 for the name.
    Leave the rest at the defaults and select OK.
  6. Leave the rest of the settings at the defaults and select Review + create.

  7. Review the settings and select Create.

Note

Virtual machines in a virtual network with a bastion host don't need public IP addresses. Bastion provides the public IP, and the VMs use private IPs to communicate within the network. You can remove the public IPs from any VMs in bastion hosted virtual networks. For more information, see Dissociate a public IP address from an Azure VM.

Note

Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the backend pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.

The default outbound access IP is disabled when one of the following events happens:

  • A public IP address is assigned to the VM.
  • The VM is placed in the backend pool of a standard load balancer, with or without outbound rules.
  • An Azure Virtual Network NAT gateway resource is assigned to the subnet of the VM.

VMs that you create by using virtual machine scale sets in flexible orchestration mode don't have default outbound access.

For more information about outbound connections in Azure, see Default outbound access in Azure and Use Source Network Address Translation (SNAT) for outbound connections.

Create the second virtual machine

  1. Repeat the steps in the previous section to create a second virtual machine. Replace the following values in Create a virtual machine:

    Setting Value
    Virtual machine name Enter vm-private.
    Subnet Select subnet-private.
    Public IP Select None.
    NIC network security group Select None.

    Warning

    Do not continue to the next step until the deployment is completed.

Confirm access to storage account

The virtual machine you created earlier that is assigned to the subnet-private subnet is used to confirm access to the storage account. The virtual machine you created in the previous section that is assigned to the subnet-1 subnet is used to confirm that access to the storage account is blocked.

Get storage account access key

  1. In the search box at the top of the portal, enter Storage account. Select Storage accounts in the search results.

  2. In Storage accounts, select your storage account.

  3. In Security + networking, select Access keys.

  4. Copy the value of key1. You may need to select the Show button to display the key.

    Screenshot of storage account access key.

  5. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

  6. Select vm-private.

  7. Select Bastion in Operations.

  8. Enter the username and password you specified when creating the virtual machine. Select Connect.

  9. Open Windows PowerShell. Use the following script to map the Azure file share to drive Z.

    • Replace <storage-account-key> with the key you copied in the previous step.

    • Replace <storage-account-name> with the name of your storage account. In this example, it's storage8675.

     $key = @{
         String = "<storage-account-key>"
     }
     $acctKey = ConvertTo-SecureString @key -AsPlainText -Force
    
     $cred = @{
         ArgumentList = "Azure\<storage-account-name>", $acctKey
     }
     $credential = New-Object System.Management.Automation.PSCredential @cred
    
     $map = @{
         Name = "Z"
         PSProvider = "FileSystem"
         Root = "\\<storage-account-name>.file.core.windows.net\file-share"
         Credential = $credential
     }
     New-PSDrive @map
    

    PowerShell returns output similar to the following example output:

    Name        Used (GB)     Free (GB) Provider      Root
    ----        ---------     --------- --------      ----
    Z                                      FileSystem    \\storage8675.file.core.windows.net\f...
    

    The Azure file share successfully mapped to the Z drive.

  10. Close the Bastion connection to vm-private.

Confirm access is denied to storage account

From vm-1

  1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

  2. Select vm-1.

  3. Select Bastion in Operations.

  4. Enter the username and password you specified when creating the virtual machine. Select Connect.

  5. Repeat the previous command to attempt to map the drive to the file share in the storage account. You may need to copy the storage account access key again for this procedure:

    $key = @{
        String = "<storage-account-key>"
    }
    $acctKey = ConvertTo-SecureString @key -AsPlainText -Force
    
    $cred = @{
        ArgumentList = "Azure\<storage-account-name>", $acctKey
    }
    $credential = New-Object System.Management.Automation.PSCredential @cred
    
    $map = @{
        Name = "Z"
        PSProvider = "FileSystem"
        Root = "\\<storage-account-name>.file.core.windows.net\file-share"
        Credential = $credential
    }
    New-PSDrive @map
    
  6. You should receive the following error message:

    New-PSDrive : Access is denied
    At line:1 char:5
    +     New-PSDrive @map
    +     ~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (Z:PSDriveInfo) [New-PSDrive], Win32Exception
        + FullyQualifiedErrorId : CouldNotMapNetworkDrive,Microsoft.PowerShell.Commands.NewPSDriveCommand
    
  7. Close the Bastion connection to vm-1.

From a local machine:

  1. In the search box at the top of the portal, enter Storage account. Select Storage accounts in the search results.

  2. In Storage accounts, select your storage account.

  3. In Data storage, select File shares.

  4. Select file-share.

  5. Select Browse in the left-hand menu.

  6. You should receive the following error message:

    Screenshot of access denied error message.

Note

The access is denied because your computer isn't in the subnet-private subnet of the vnet-1 virtual network.

Clean up resources

When you finish using the resources that you created, you can delete the resource group and all its resources:

  1. In the Azure portal, search for and select Resource groups.

  2. On the Resource groups page, select the test-rg resource group.

  3. On the test-rg page, select Delete resource group.

  4. Enter test-rg in Enter resource group name to confirm deletion, and then select Delete.

Next steps

In this tutorial:

  • You enabled a service endpoint for a virtual network subnet.

  • You learned that you can enable service endpoints for resources deployed from multiple Azure services.

  • You created an Azure Storage account and restricted the network access to the storage account to only resources within a virtual network subnet.

To learn more about service endpoints, see Service endpoints overview and Manage subnets.

If you have multiple virtual networks in your account, you may want to establish connectivity between them so that resources can communicate with each other. To learn how to connect virtual networks, advance to the next tutorial.