Azure Storage Account - Public Access Disabled - but still some level of connectivity

Question

Hi - we have created a storage account that holds Azure file shares - we have disabled public network access and configured a private endpoint and only allow connectivity from within the virtual network.

However the client has noticed that - if you're off the network completely and browse to the storage account URL (\storageaccountname.file.core.windows.net) you still get prompted for creds. And if you run a "test-netconnection storageaccountname.file.core.windows.net -port 445" it responds with true.

Now, imputting the creds doesn't work and we are unable to browse data either via the portal or Storage Explorer etc - however I need to give them some reassurance that the account is indeed locked down as it should be before they store critical data in there.

My working assumption here is that it's allowing connectivity to the management plane of the storage account rather than the data plane - is this correct? or it is something else?

Thanks

Answer 1

Hi Gareth,

Each Azure Storage endpoint public IP address serves many different storage accounts. As a result of this incoming connections have to be accepted so that the front end layer can determine whether or not it should be authorized.

For example, Test-NetConnection essentially attempts TCP three-way handshake and reports the result (success/fail). At this stage of the connection process, the front end has no ability to see which storage account is the destination, so the TCP connection needs to proceed.

In the case of attempting to browse a share, there is a point in the process where it is knows the destination storage account and can take that into consideration. If the destination account has public access disabled it knows to refuse.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP