Azure Serial console and locked down Storage account

Simon Magrin 121 Reputation points
2022-01-22T11:27:02.46+00:00

Hi,

I'm aware that you need to enable 'All networks' for a nominated diagnostics Storage account used for a VM:

https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-errors#common-errors

However this goes against one of the Microsoft Defender for Cloud (formally Azure Security Center) recommendation's to enable the firewall on all Storage accounts.

Digging through the Log Analytics for the Storage account while launching the Serial console, a Private IP range (10.240/16) accessed the account and failed when 'All networks' wasn't enabled. Likewise, allowing all networks and the Serial console worked again. Seems coincidental?

167405-loganayticsstorageaccount.png

Ideally it'll be good to still access the Serial console when required without compromising on the Secure Score. Moreover, you can't allow private IP addresses either, only your own VNet's, Azure services (Virtual Machines aren't a listed service) or public IP's.

Is there any upcoming changes to address this conflicting issue?

Thanks

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,063 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,654 questions
0 comments No comments
{count} votes

Accepted answer
  1. srbhatta-MSFT 8,546 Reputation points Microsoft Employee
    2022-01-25T07:18:27.947+00:00

    Hello @Simon Magrin ,
    Thanks for reaching out to Microsoft QnA Platform. Firstly, apologies for the delay in response here.
    As you are already aware that this is by design, that if firewall is enabled in a storage account, and if the same storage account is used to enable boot diagnostics for a VM, then serial console will not be accessible.
    Currently Serial Console Access feature and Azure Storage Firewall features are incompatible so only one of them could be enabled at one time. If you want to use the serial console feature, you need to remove the firewall from the storage account that holds boot diagnostic folder.
    I agree that what you are suggesting is a good to have design, and the serial console service is in the midst of a design transition which should have better enable options for storage account firewalI in future. However, I will request you to post it in our feedback forum here ( Azure Feedback Forum ) so that the Product Team can check and prioritize the features accordingly.

    I hope this helps in answering your query.
    Please 'Accept as Answer' if you find the above provided information useful so that it can benefit the community.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Simon Magrin 121 Reputation points
    2022-01-25T11:28:23.627+00:00

    Thanks @srbhatta-MSFT for confirming. Kind Regards

    0 comments No comments