Difference Between Service Tags in Route Table

Question

Difference Between Service Tags in Route Table

Alex 495

Hey there,

I'm attempting to route storage/blob traffic through my Firewall by updating the Route Table of the subnet. It's functioning properly when I include storage.westus in the route, but it's not working when I only include storage. Can someone please explain why this is the behavior?

User's image

Thanks in advance.

Accepted answer

1 additional answer

Your answer

Answer 1

Anand Prakash Yadav 7,855 Microsoft External Staff

Hello Alex,

Thank you for posting your query here!

When you include storage.westus in the route, you specify a more specific service tag that represents Azure Storage in the West US region. This allows you to route traffic specifically to the IP addresses associated with Azure Storage in the West US region.

On the other hand, when you include just storage in the route, you are using a more general service tag that represents Azure Storage for the entire cloud. This includes IP addresses from all Azure regions, not just a specific region.

So, it’s possible that the storage service tag may not be specific enough to route traffic to the correct endpoint, while storage.westus is more specific and can route traffic properly.

To ensure that the routing works for all regions, you should either:

Use specific regional service tags for each region where you have Azure Storage accounts (e.g., Storage.WestUS, Storage.EastUS, etc.).
If your firewall supports routing based on service tags, you can use multiple routes for each region.

Please let us know if you have any further queries. I’m happy to assist you further.

Alex 495 Reputation points

2024-01-04T11:41:18+00:00

Hello Anand,

Thank you for the clarification, it was helpful.

So if I understand correctly about the possible cause, which is

'the storage service tag may not be specific enough to route traffic to the correct endpoint, while storage.westus is more specific and can route traffic properly',

then what are the potential use cases for the storage service tag in route table? Since there is an option to choose that tag for the route table + storage tag being the superset of all region specific storage tags, but it is not routing as configured.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Anand Prakash Yadav 7,855 Reputation points Microsoft External Staff

2024-01-04T13:14:33.27+00:00

Hi Alex,

Please note that the general Storage tag approach might not work optimally when you have specific regional requirements or if you want to control the traffic flow based on the geographical location of your storage accounts. In such cases, it's recommended to use region-specific storage service tags for more granular control over routing.

However, in situations where your storage accounts are deployed redundantly across multiple regions, and you don't have specific requirements to route traffic based on regions or you don't have storage accounts in multiple regions, the Storage tag might be sufficient.
Alex 495 Reputation points

2024-01-05T13:11:50.24+00:00

Thank you, Anand, for the clarity.

Answer 2

Luke Murray 11,436 MVP Volunteer Moderator

Hi, Alex

I just had a look at the Service Tags IP address range, and it looks ok, with the supported Network Features of:

  "networkFeatures": [
          "API",
          "NSG",
          "UDR",
          "FW",
          "VSE"
        ]

In the subnet that your Private Endpoint for the Storage account is in, make sure that Route tables is selected, or your route table may be getting ignored:

Azure Portal - Private Endpoint - Routes

Reference: Manage network policies for private endpoints

Alex 495 Reputation points

2024-01-03T09:41:50.9566667+00:00
Thanks, Luke.

I am not using private endpoints though, I will clarify my setup. Apologies for the confusion.

I have a Blob storage account in westus2 with public access denied (only selected networks chosen).

I have an AppGw to handle the Blob traffic by configuring the Blob storage account as backend, settings, etc + enabling the service endpoint to storage for appgw subnet and allowing this subnet in the storage account.

The traffic in this setup goes from Appgw to blob directly and I want to route through the firewall.

So, when I try to update the route table of Appgw subnet to go through firewall for destination service tag as storage, the route is not in effect, but when I choose region specific tag (storage.westus2), it is going through firewall.

Flow: AppGw -> Firewall -> Blob

As per my understanding, storage service tag includes ip ranges of all regions and region specific storage service tag includes only that region's ip range. So I was thinking the route should have worked for both destination in this case storage and storage.westus2, but it didn't.

Would like to understand this behavior.

Hope my test setup is clear now, let me know if you need more clarity.

Thank you in advance.

Share via

Difference Between Service Tags in Route Table

1 additional answer

Your answer