Storage account public access

Balaji Shinde 20 Reputation points
2023-11-21T07:05:16.1166667+00:00

Hi Team,

We have deployed an Azure function by following https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/atlassian-confluence-audit-using-azure-functions article, to get the our Confluence Audit logs into log analytic workspace, we are getting the logs properly. But, in the process of Azure function deployment it has created a storage account, the storage account has Public network access enabled, if we disable the public access, the Audit logs stops coming. Is there a way to restrict public access on storage account and still receive the Confluence Audit logs?

Regards,

Balaji.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,643 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,924 questions
{count} votes

1 answer

Sort by: Most helpful
  1. MuthuKumaranMurugaachari-MSFT 22,271 Reputation points
    2023-11-21T20:09:01.0966667+00:00

    Balaji Shinde Thanks for posting your question in Microsoft Q&A. Quickly reviewing ARM template: Confluence Audit data connector, found that storage account was deployed with public network access enabled (default: publicNetworkAccess- Enabled) with the following parameters:

    {
                "type": "Microsoft.Storage/storageAccounts",
                "apiVersion": "2019-06-01",
                "name": "[tolower(variables('FunctionName'))]",
                "location": "[resourceGroup().location]",
                "sku": {
                    "name": "Standard_LRS",
                    "tier": "Standard"
                },
                "kind": "StorageV2",
                "properties": {
                    "networkAcls": {
                        "bypass": "AzureServices",
                        "virtualNetworkRules": [],
                        "ipRules": [],
                        "defaultAction": "Allow"
                    },
                    "supportsHttpsTrafficOnly": true,
                    "encryption": {
                        "services": {
                            "file": {
                                "keyType": "Account",
                                "enabled": true
                            },
                            "blob": {
                                "keyType": "Account",
                                "enabled": true
                            }
                        },
                        "keySource": "Microsoft.Storage"
                    }
                }
            }
    

    However, it is not possible to secure an existing storage account by modifying publicNetworkAccess property. Refer doc: Restrict your storage account to a virtual network which describe the steps to restrict your storage account to a private endpoint in a VNET while creating a new function app or an existing function app with a new storage account.

    So, you can take function-app-storage-private-endpoints ARM template as a guide and modify Confluence Audit data connector template to deploy Azure Functions with a storage account behind VNET (public access disabled). Then configure Network security groups (NSG), Routes (route table) to allow outbound connections to Confluent Audit rest API. With this approach, storage account is restricted and still can access Confluent Audit API.

    Note: The Consumption plan isn't supported (supported-networking-features).

    I hope this helps and let me know if any questions.


    If you found the answer to your question helpful, please take a moment to mark it as Yes for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.

    0 comments No comments