Firewall and Virtual Network Settings for Storage Account with a Pvt Link Connection

Pallab Chakraborty 401 Reputation points
2021-05-28T17:50:44.383+00:00

I have a query. I have configured a Storage Account with a Pvt Link in my subscription.

If you have a Storage Account configured with Pvt Link, i believe you don't need to configure Firewall access in that case? Is that correct? Right now based on my ARM Template below, i have the setting in my storage account as shown in the screenshot. Do i need to ensure that "Allow Access From" is set to "Selected Networks" ? 

!["resources": [  
        {  
            "type": "Microsoft.Storage/storageAccounts",  
            "apiVersion": "2021-01-01",  
            "name"    : "[variables('blobstorageAccountName')]",  
            "location": "[parameters('location')]",  
            "sku": {  
                "name": "[parameters('storageAccountType')]"  
            },  
            "kind": "StorageV2",  
            "properties": {  
                "minimumTlsVersion"     : "TLS1_2",  
                "allowBlobPublicAccess" : false  
            }  
        },  
        {  
            "type"      : "Microsoft.Network/privateDnsZones/virtualNetworkLinks",  
            "apiVersion": "2018-09-01",  
            "name"      : "[concat(variables('blobPrivateDNSZoneName'), '/link_to_', toLower(parameters('vnetName')))]",  
            "location"  : "global",  
            "dependsOn" : [  
                "[variables('blobPrivateDnsZoneId')]"  
            ],  
            "properties" : {  
                "registrationEnabled" : false,  
                "virtualNetwork"      : {  
                    "id"              : "[variables('vnetId')]"  
                }  
            }  
        },  
        {  
            "type"       : "Microsoft.Network/privateEndpoints",  
            "apiVersion" : "2020-04-01",  
            "name"       : "[variables('blobStorageAccountPrivateEndpointName')]",  
            "location"   : "[resourceGroup().location]",  
            "dependsOn"  : [  
                "[variables('blobStorageAccountId')]"  
            ],  
            "properties" : {  
                "privateLinkServiceConnections" : [  
                    {  
                      "name" : "parameters('blobStorageAccountPrivateEndpointName')",  
                      "properties" : {   
                            "privateLinkServiceId"  : "[variables('blobStorageAccountId')]",  
                            "groupIds"              :  ["blob"]  
                        }  
                    }  
                ],  
                "subnet" :{  
                    "id" : "[variables('subnetId')]"  
                },  
                "customDnsConfigs" : [  
                    {  
                        "fqdn"     : "[concat(variables('blobStorageAccountName'),variables('blobPublicDNSZoneForwarder'))]"  
                    }  
                ]  
            }  
        },  
        {  
            "type"       : "Microsoft.Network/privateDnsZones",  
            "apiVersion" : "2018-09-01",  
            "name"       : "[variables('blobPrivateDNSZoneName')]",  
            "location"   : "global",  
            "properties" : {  
                "maxNumberOfRecordSets"                            : 25000,  
                "maxNumberOfVirtualNetworkLinks"                   : 1000,  
                "maxNumberOfVirtualNetworkLinksWithRegistration"   : 100  
            }  
        },  
        {  
            "type"       : "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",  
            "apiVersion" : "2020-03-01",  
            "name"       : "[variables('blobPrivateDnsZoneGroup')]",  
            "location"   : "[resourceGroup().location]",  
            "dependsOn"  : [  
                "[variables('blobPrivateDnsZoneId')]",  
                "[variables('blobStorageAccountPrivateEndpointId')]"  
            ],  
            "properties"  : {  
                "privateDnsZoneConfigs" :[  
                    {  
                        "name"       : "dnsConfig",  
                        "properties" : {  
                            "privateDnsZoneId" : "[variables('blobPrivateDnsZoneId')]"  
                        }  
                    }  
                ]  
            }  
        },  
        {  
            "type": "Microsoft.Storage/storageAccounts/blobServices",  
            "apiVersion": "2021-01-01",  
            "name"      :"[tolower(concat(variables('blobstorageaccountname'), '/default'))]",  
            "dependsOn": [  
              "[resourceId('Microsoft.Storage/storageAccounts', variables('blobstorageAccountName'))]"  
            ],  
            "properties": {  
                "isVersioningEnabled"   : true,  
                "deleteRetentionPolicy" : {  
                    "enabled" :  true,  
                    "days"    :  30  
                },  
                "changeFeed"  : {  
                    "enabled"        : true  
                },  
                "containerDeleteRetentionPolicy" :{  
                    "enabled" : true,  
                    "days"    : 30  
                }  
            }  
        },  
        {  
            "type": "Microsoft.Storage/storageAccounts/blobServices/containers",  
            "apiVersion": "2021-01-01",  
            "name": "[concat(variables('blobstorageAccountName'), '/default/', parameters('containerPrefix'), copyIndex())]",  
            "copy": {  
                "name": "containercopy",  
                "count": 2  
            },  
            "dependsOn": [  
              "[resourceId('Microsoft.Storage/storageAccounts', variables('blobstorageAccountName'))]"  
            ]   
        }  
    ],][1]

Appreciate a quick reply

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,667 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,131 questions
0 comments
Accepted answer
  1. deherman-MSFT 33,141 Reputation points Microsoft Employee
    2021-05-28T21:30:29.04+00:00

    @Pallab Chakraborty
    Yes, you should set Allow Access From to Selected Networks to disable access. Storage accounts have a public endpoint that is accessible through the internet. You can also create Private Endpoints for your storage account, which assigns a private IP address from your VNet to the storage account, and secures all traffic between your VNet and the storage account over a private link. The Azure storage firewall provides access control for the public endpoint of your storage account. You can also use the firewall to block all access through the public endpoint when using private endpoints. Your storage firewall configuration also enables select trusted Azure platform services to access the storage account securely. More information can be found on the Configure Azure Storage firewalls and virtual networks page.

    Hope this helps. Let us know if you have further questions or issues.

    -------------------------------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest