Share via

How to configure Firewalls and Virtual networks in Azure Storage Account

Kiran Hegde 0 Reputation points
2024-07-09T07:33:54.89+00:00

Problem Statement:

  • When attempting to save changes to the networking configuration of the storage account, specifically after modifying the Network Routing preference and endpoints, the application crashes and displays an error page instead of successfully saving the changes.

Procedure:

  1. Create a storage account in Azure.
  2. Navigate to your storage account in the Azure Portal.
  3. In the left-hand menu, search for and select Networking.
  4. On the Firewalls and virtual networks tab, configure the following settings:
    • Allow access from: All networks
    • Network Routing preference: Microsoft network routing
    • Publish route-specific endpoints: Microsoft network routing
  5. Save your changes.

Issue:

  • After attempting to save these changes, you encounter an error page and the application crashes.

azure storage networking issue

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,235 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. TP 98,731 Reputation points
    2024-07-09T07:56:16.7466667+00:00

    Hi Kiran,

    I tested and was unable to reproduce the error you are experiencing using Edge or Chrome.

    Please test again using new browser profile and/or different browser. For example, if you are using Chrome, please test by clicking the person icon in upper right --> Guest. Or see if the error occurs with Edge.

    If using Edge, you would click on person icon in upper left corner --> Other profiles --> Browse as guest. Or test using Chrome.

    If switching to a different browser profile or browser solves the issue, you may try clearing out cache/cookies/etc. from original browser and test again.

    Please reply back with your results, whether positive or negative.

    Thanks.

    -TP

    0 comments
  2. Nehruji R 8,151 Reputation points Microsoft Vendor
    2024-07-10T05:49:51.4066667+00:00

    Hello Kiran Hegde,

    Greetings! Welcome to Microsoft Q&A Platform.

    I understand that you are encountering issues in configuring the Firewall rules to your storage account. Please consider checking the below factors to configure and modify the configurations,

    1. By default, storage accounts accept connections from clients on any network. However, for limiting the access to selected networks, first step is to you must first change the default action.
    2. Azure Storage provides a layered security model allowing you to secure your storage accounts to a specific set of allowed networks. When network rules are configured specifically, then only applications from allowed networks can access a storage account.
    3. When you do "Select Networks" -> Which by default means access is blocked from all networks irrespective of whether same VNET.
    4. The term "Select Network" , itself means provide access from Selected Networks. (So If you don't select the network - then It can't be accessed from any where)
    5. Now open up access by adding the specific VNET -> Again in that VNET -> If you observe we can select to which subnet access needs to be given i.e. you are configuring storage accounts to allow access only from specific subnets
    6. To summarize : If the source request is coming from an Azure VM in the same Azure VNet and from same region, then the Azure storage firewall should be configured to allow the traffic by adding the VNet/Subnet within the “Virtual networks” section.
    7. The main use of Private Endpoints for your Azure Storage accounts to allow clients on a virtual network (VNet) to securely access data over a Private Link . The private endpoint uses an IP address from the VNet address space for your storage account service. Network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet
    8. Basically , using private endpoints for your storage account enables you to: a) Secure your storage account by configuring the storage firewall to block all connections on the public endpoint for the storage service.
      b) Increases security for the virtual network (VNet), by enabling you to block exfiltration of data from the VNet.
      c) Securely connect to storage accounts from on-premises networks that connect to the VNet using VPN or ExpressRoutes with private-peering.

    refer troubleshooting article and doc for more detailed guidance - https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal, https://learn.microsoft.com/en-us/azure/storage/common/network-routing-preference, https://techcommunity.microsoft.com/t5/azure-paas-blog/troubleshooting-storage-firewall-issues/ba-p/1944730.

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.