When a Storage account is assigned Private endpoint, do we still need to enable firewalls?

suresh bettadapur 1 Reputation point
2021-05-26T06:28:34.873+00:00

When a Storage account is assigned Private endpoint, and public access to blob container is disabled, is there a need to make it do more secure by enabling firewalls to restrict access only to specific networks/subnets?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,173 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sumarigo-MSFT 46,286 Reputation points Microsoft Employee
    2021-05-27T07:31:55.957+00:00

    @suresh bettadapur Welcome Q&A Forum! Thank you for posting your query here.

    When a Storage account is assigned Private endpoint, and public access to blob container is disabled, is there a need to make it do more secure by enabling firewalls to restrict access only to specific networks/subnets? Not required

    Using private endpoints for your storage account enables you to:

    • Secure your storage account by configuring the storage firewall to block all connections on the public endpoint for the storage service.
    • Increase security for the virtual network (VNet), by enabling you to block exfiltration of data from the VNet.
    • Securely connect to storage accounts from on-premises networks that connect to the VNet using VPN or ExpressRoutes with private-peering.
    • You can secure your storage account to only accept connections from your VNet, by configuring the storage firewall to deny access through its public endpoint by default. You don't need a firewall rule to allow traffic from a VNet that has a private endpoint, since the storage firewall only controls access through the public endpoint. Private endpoints instead rely on the consent flow for granting subnets access to the storage service.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    ------------------------------------------------------------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.