Whitelist access to azure storage from Internal Firewall

Rusydan (Dan) 161 Reputation points
2022-07-29T01:52:10.773+00:00

Hi All,

We have a Azure blob storage where the link is embedded in our in-house application using the storage URL (https://example.blob.core.windows.net)
Today, the organization decide to block everything from their internal firewall appliance due to cyber security threat.
That causes access to blob storage is also denied.

Is there a way to whitelist the access at a granular level? From what I have read, we can whitelist the blob URL. That alone does not work, since the firewall denies all.

Can we then able to whitelist by IP address?
From what I have research, there is a range of IP address by region and Azure services that we can whitelist based on the JSON file provided below.
confirmation.aspx

However it also mention that this file is updated weekly and IP ranges is updated. So it seems not a practical way of whitelisting by IP address. Appreciate if you can clarfiy if this is true.

If thats the case, how else can we whitelist access to Azure effectively? Other consideration that we would like to verify.

  1. Should we whitelist by port 443 and allow all IP address using this port?
  2. Should we consider Azure VPN instead and use private endpoint at the storage? (this may be a lot of effort since now we need to think of re-writing our internal application and introduce an additional Azure services.

Thank you.

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,202 questions
0 comments No comments
{count} votes

Accepted answer
  1. SaiKishor-MSFT 17,336 Reputation points
    2022-08-01T19:21:24.127+00:00

    @Rusydan (Dan) Thank you for reaching out to Microsoft. I understand that you want to know the right way to access the Azure Storage from your organization by allowing access to it in your internal firewall.

    As you mentioned, if you prefer to access it via the Public IP range, this range will be updated weekly so you will need some kind of script to update it on a regular basis. Its best to go with the private endpoint option.

    Here are more details regarding the same- https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints

    And in regard to the port, f you are accessing it via the web link using https, you will need to open port 443 as you mentioned. If you need any help with setting up private endpoint for your storage account, please do let us know and we will be glad to assist you with the same. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.