Configure Elastic SAN networking (preview)

Azure Elastic storage area network (SAN) allows you to secure and control the level of access to your Elastic SAN volumes that your applications and enterprise environments demand, based on the type and subset of networks or resources used. When network rules are configured, only applications requesting data over the specified set of networks or through the specified set of Azure resources that can access an Elastic SAN (preview). Access to your SAN's volumes are limited to resources in subnets in the same Azure Virtual Network that your SAN's volume group is configured with.

Volume groups are configured to allow access only from specific subnets. The allowed subnets may belong to a virtual network in the same subscription, or those in a different subscription, including subscriptions belonging to a different Azure Active Directory tenant.

You must enable a Service endpoint for Azure Storage within the virtual network. The service endpoint routes traffic from the virtual network through an optimal path to the Azure Storage service. The identities of the subnet and the virtual network are also transmitted with each request. Administrators can then configure network rules for the SAN that allow requests to be received from specific subnets in a virtual network. Clients granted access via these network rules must continue to meet the authorization requirements of the Elastic SAN to access the data.

Each volume group supports up to 200 virtual network rules.

Important

If you delete a subnet that has been included in a network rule, it will be removed from the network rules for the volume group. If you create a new subnet with the same name, it won't have access to the volume group. To allow access, you must explicitly authorize the new subnet in the network rules for the volume group.

Enable Storage service endpoint

In your virtual network, enable the Storage service endpoint on your subnet. This ensures traffic is routed optimally to your Elastic SAN. To enable service point for Azure Storage, you must have the appropriate permissions for the virtual network. This operation can be performed by a user that has been given permission to the Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Azure resource provider operation via a custom Azure role. An Elastic SAN and the virtual networks granted access may be in different subscriptions, including subscriptions that are a part of a different Azure AD tenant.

Note

Configuration of rules that grant access to subnets in virtual networks that are a part of a different Azure Active Directory tenant are currently only supported through PowerShell, CLI and REST APIs. These rules cannot be configured through the Azure portal, though they may be viewed in the portal.

  1. Navigate to your virtual network and select Service Endpoints.
  2. Select + Add and for Service select Microsoft.Storage.
  3. Select any policies you like, and the subnet you deploy your Elastic SAN into and select Add.

Screenshot of the virtual network service endpoint page, adding the storage service endpoint.

Available virtual network regions

By default, service endpoints work between virtual networks and service instances in the same Azure region. When using service endpoints with Azure Storage, service endpoints also work between virtual networks and service instances in a paired region. If you want to use a service endpoint to grant access to virtual networks in other regions, you must register the AllowGlobalTagsForStorage feature in the subscription of the virtual network. This capability is currently in public preview.

Service endpoints allow continuity during a regional failover. When planning for disaster recovery during a regional outage, you should create the virtual networks in the paired region in advance. Enable service endpoints for Azure Storage, with network rules granting access from these alternative virtual networks. Then apply these rules to your zone-redundant SANs.

Enabling access to virtual networks in other regions (preview)

Important

This capability is currently in PREVIEW.

See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

To enable access from a virtual network that is located in another region over service endpoints, register the AllowGlobalTagsForStorage feature in the subscription of the virtual network.

Note

For updating the existing service endpoints to access a volume group in another region, perform an update subnet operation on the subnet after registering the subscription with the AllowGlobalTagsForStorage feature. Similarly, to go back to the old configuration, perform an update subnet operation after deregistering the subscription with the AllowGlobalTagsForStorage feature.

During the preview you must use either PowerShell or the Azure CLI to enable this feature.

Managing virtual network rules

You can manage virtual network rules for volume groups through the Azure portal, PowerShell, or CLI.

Note

If you registered the AllowGlobalTagsForStorage feature, and you want to enable access to your volumes from a virtual network/subnet in another Azure AD tenant, or in a region other than the region of the SAN or its paired region, then you must use PowerShell or the Azure CLI. The Azure portal does not show subnets in other Azure AD tenants or in regions other than the region of the storage account or its paired region, and hence cannot be used to configure access rules for virtual networks in other regions.

  1. Navigate to your SAN and select Volume groups.
  2. Select a volume group and select Create.
  3. Add an existing virtual network and subnet and select Save.

Next steps

Plan for deploying an Elastic SAN (preview)