Share via

Storage Account Firewall Options & Overall Security

Erin Dempster 21 Reputation points
2020-09-15T13:48:25.797+00:00

I'm going through a stretch of final testing of our Azure environment, and recently, I had to change the firewall settings on the main storage account from Selected Networks to All Networks to allow Automate run books access to files. Still being fairly new to Azure, this makes me a little nervous. Consequently, I want to raise some questions, in hope my fears can be calmed.

1) Opening the firewall to All Networks appears to be the only way to allow run books access. Is that the case, or are there known, alternate solutions to keep the firewall set to Selected Networks (but also relatively easy and straightforward to maintain)?

2) Regardless of the firewall settings, I still have to use AAD authentication in PowerShell or use a storage access key to access the account. If I were to be storing PII (personally identifiable information) in the storage account, are there other measures I need to take to properly secure the data?

3) When I had Selected Networks chosen, storage traffic from on-premises was flowing through the site-to-site VPN. After the change, traffic is being routed over the Internet. Is there a way to get back to traffic going through the VPN?

Hoping someone has more knowledge than I and will see this (it doesn't take much to have more knowledge than I :-) ).

Thanks,
Erin

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,836 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
590 questions
0 comments
Accepted answer
  1. deherman-MSFT 34,691 Reputation points Microsoft Employee
    2020-09-15T18:48:10.687+00:00

    1) There is currently a preview for Azure Automation Private Link. However, as part of the preview release, an Automation account cannot access Azure resources that are secured using private endpoint, such as a Storage Account. Another option which might work for you is to use a Hybrid Worker Group in Azure Automation. The systems can be your physical systems that can reach Azure or your Azure VMs. You can then grant access to the IP addresses that are in your Hybrid Runbook Worker group.

    2) There are far too many security recommendations to cover in a single post. I would recommend you read through our Security recommendations for Blob storage. As well as Azure Security Baseline for Azure Storage to make sure there is not something you have overlooked.

    3) Using the Hybrid Worker Group as suggested above would work. Another option is setting up a private endpoint for Azure Storage.

    I hope this information helps! Let me know if you have further questions or issues.

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest