Azure backbone network traffic allow access to storage account

Vladimiras Jakovlevas 0 Reputation points
2024-04-25T04:22:14.5433333+00:00

Hi,

We should allow access to storage account from Dynamics 365 Microsoft managed environment, the access must be granted to blob storage account.

The problem is when we try to access storage account in same Azure region the connection from Dynamics 365 Microsoft managed environment going to storage account directly using Azure backbone, if we have firewall enabled on the storage account, we can't allow traffic using rules to whitelist "Azure backbone" IP's because they are private.

Is it any other solution to whitelist traffic from Dynamics 365 Microsoft managed environment to storage account?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,767 questions
Dynamics 365 Training
Dynamics 365 Training
Dynamics 365: A Microsoft cloud-based business platform that provides customer relationship management and enterprise resource planning solutions.Training: Instruction to develop new skills.
83 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Amrinder Singh 3,260 Reputation points Microsoft Employee
    2024-04-25T06:09:22.0633333+00:00

    Hi Vladimiras Jakovlevas - Thanks for reaching out over Q&A Forum.

    Yes, if the client (herein D365) and the storage account are in same region, the calls shall flow via internal backbone which will have Private IP's. Since that can't be whitelisted, the call might tend to fail with IP Authorization errors.

    One of the suggestion is the have client part of a VNET (if feasible) and then whitelist the VNET on the storage account level.

    https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal#trusted-access-for-resources-registered-in-your-subscription

    Please let us know if you have any further queries. I’m happy to assist you further.    


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


  2. Vladimiras Jakovlevas 0 Reputation points
    2024-04-25T06:21:39.3733333+00:00

    Yes VNET should be fine, but I can't define VNET for the Microsoft managed D365 environment, any other ideas?


  3. Nehruji R 3,041 Reputation points Microsoft Vendor
    2024-04-26T05:34:23.93+00:00

    Hello Vladimiras Jakovlevas,

    Greetings! Welcome to Microsoft Q&A Platform.

    To allow access from a Dynamics 365 Microsoft managed environment to an Azure Blob Storage account, especially when dealing with firewall restrictions and private IPs, you can consider using Azure Private Link. Azure Private Link provides private connectivity from a virtual network to Azure services like Azure Storage, effectively bringing the service into your private network.

    Azure Storage provides a layered security model. This model enables you to control the level of access to your storage accounts that your applications and enterprise environments demand, based on the type and subset of networks or resources that you use.

    A best approach to achieve this is by creating a Private Endpoint for your Azure Storage account, which assigns a private IP address from your virtual network to the storage account then configure the DNS to ensure that the private endpoint is properly resolved within your Dynamics 365 environment. Update your firewall rules to allow traffic from the private endpoint associated with your Dynamics 365 environment.

    By doing this, you can ensure that the traffic from Dynamics 365 to the Azure Storage account stays within the Azure network, bypassing the need to whitelist Azure backbone IPs. This method also enhances security by keeping data transfer off the public internet.

    refer - https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal for detailed guidance.

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.


    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.