Azure Storage Account - Network Restrictions

Dan 1 Reputation point
2021-11-01T17:42:52.017+00:00

I have an Azure storage account that is access via shared access keys and then has a firewall in place limiting access to specific source IP address. This works fine for all locations that try and access it when testing, but when we try and access it from a server that is hosted in Azure, it doesnt work as expected. The Azure server has a static public IP and works fine, but when we add that IP to the list of permitted IP's, it cant talk to it. To test, we removed the restrictions and checked the logs, and can confirm that we see the requests hitting the storage account and the source IP listed is the internal IP of the server in Azure (from its private VNET) and not the Public IP we would expect.

The server is in a different company's account, its not managed by us.

Has anyone ever seen anything like this before?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,686 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,141 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andriy Bilous 10,901 Reputation points MVP
    2021-11-02T10:40:25.657+00:00

    Hello @thedanofUK

    To secure your storage account, you should first configure a rule to deny access to traffic from all networks (including internet traffic) on the public endpoint, by default. Then, you should configure rules that grant access to traffic from specific VNets. You can also configure rules to grant access to traffic from selected public internet IP address ranges, enabling connections from specific internet or on-premises clients. This configuration enables you to build a secure network boundary for your applications.

    You can configure storage accounts to allow access only from specific subnets. The allowed subnets may belong to a VNet in the same subscription, or those in a different subscription, including subscriptions belonging to a different Azure Active Directory tenant.

    The identities of the subnet and the virtual network are also transmitted with each request. Administrators can then configure network rules for the storage account that allow requests to be received from specific subnets in a VNet. Clients granted access via these network rules must continue to meet the authorization requirements of the storage account to access the data.

    https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-a-virtual-network

    0 comments