Azure Elastic storage area network (SAN) allows you to secure and control the level of access to your Elastic SAN volumes that your applications and enterprise environments demand, based on the type and subset of networks or resources used. When network rules are configured, only applications requesting data over the specified set of networks or through the specified set of Azure resources that can access an Elastic SAN (preview). Access to your SAN's volumes are limited to resources in subnets in the same Azure Virtual Network that your SAN's volume group is configured with.
Volume groups are configured to allow access only from specific subnets. The allowed subnets may belong to a virtual network in the same subscription, or those in a different subscription, including subscriptions belonging to a different Azure Active Directory tenant.
You must enable a Service endpoint for Azure Storage within the virtual network. The service endpoint routes traffic from the virtual network through an optimal path to the Azure Storage service. The identities of the subnet and the virtual network are also transmitted with each request. Administrators can then configure network rules for the SAN that allow requests to be received from specific subnets in a virtual network. Clients granted access via these network rules must continue to meet the authorization requirements of the Elastic SAN to access the data.
Each volume group supports up to 200 virtual network rules.
Important
If you delete a subnet that has been included in a network rule, it will be removed from the network rules for the volume group. If you create a new subnet with the same name, it won't have access to the volume group. To allow access, you must explicitly authorize the new subnet in the network rules for the volume group.
Enable Storage service endpoint
In your virtual network, enable the Storage service endpoint on your subnet. This ensures traffic is routed optimally to your Elastic SAN. To enable service point for Azure Storage, you must have the appropriate permissions for the virtual network. This operation can be performed by a user that has been given permission to the Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Azure resource provider operation via a custom Azure role. An Elastic SAN and the virtual networks granted access may be in different subscriptions, including subscriptions that are a part of a different Azure AD tenant.
Note
Configuration of rules that grant access to subnets in virtual networks that are a part of a different Azure Active Directory tenant are currently only supported through PowerShell, CLI and REST APIs. These rules cannot be configured through the Azure portal, though they may be viewed in the portal.
By default, service endpoints work between virtual networks and service instances in the same Azure region. When using service endpoints with Azure Storage, service endpoints also work between virtual networks and service instances in a paired region. If you want to use a service endpoint to grant access to virtual networks in other regions, you must register the AllowGlobalTagsForStorage feature in the subscription of the virtual network. This capability is currently in public preview.
Service endpoints allow continuity during a regional failover. When planning for disaster recovery during a regional outage, you should create the virtual networks in the paired region in advance. Enable service endpoints for Azure Storage, with network rules granting access from these alternative virtual networks. Then apply these rules to your zone-redundant SANs.
Enabling access to virtual networks in other regions (preview)
To enable access from a virtual network that is located in another region over service endpoints, register the AllowGlobalTagsForStorage feature in the subscription of the virtual network.
Note
For updating the existing service endpoints to access a volume group in another region, perform an update subnet operation on the subnet after registering the subscription with the AllowGlobalTagsForStorage feature. Similarly, to go back to the old configuration, perform an update subnet operation after deregistering the subscription with the AllowGlobalTagsForStorage feature.
Open the Azure Cloud Shell, or if you've installed the Azure CLI locally, open a command console application such as Windows PowerShell.
If your identity is associated with more than one subscription, then set your active subscription to subscription of the virtual network.
az account set --subscription <subscription-id>
Replace the <subscription-id> placeholder value with the ID of your subscription.
Register the AllowGlobalTagsForStorage feature by using the az feature register command.
az feature register --namespace Microsoft.Network --name AllowGlobalTagsForStorage
Note
The registration process might not complete immediately. Make sure to verify that the feature is registered before using it.
To verify that the registration is complete, use the az feature command.
az feature show --namespace Microsoft.Network --name AllowGlobalTagsForStorage
Managing virtual network rules
You can manage virtual network rules for volume groups through the Azure portal, PowerShell, or CLI.
Note
If you registered the AllowGlobalTagsForStorage feature, and you want to enable access to your volumes from a virtual network/subnet in another Azure AD tenant, or in a region other than the region of the SAN or its paired region, then you must use PowerShell or the Azure CLI. The Azure portal does not show subnets in other Azure AD tenants or in regions other than the region of the storage account or its paired region, and hence cannot be used to configure access rules for virtual networks in other regions.
To add a network rule for a subnet in a virtual network belonging to another Azure AD tenant, use a fully qualified VirtualNetworkResourceId parameter in the form "/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name".
Remove a virtual network rule.
## You can remove a virtual network rule by object, by resource ID, or by removing all the rules in a volume group
### remove by networkRule object
Remove-AzElasticSanVolumeGroupNetworkRule -ResourceGroupName myRGName -ElasticSanName mySANName -VolumeGroupName myVolGroupName -NetworkAclsVirtualNetworkRule $virtualNetworkRule1,$virtualNetworkRule2
### remove by networkRuleResourceId
Remove-AzElasticSanVolumeGroupNetworkRule -ResourceGroupName myRGName -ElasticSanName mySANName -VolumeGroupName myVolGroupName -NetworkAclsVirtualNetworkResourceId "myResourceID"
### Remove all network rules in a volume group by pipeline
((Get-AzElasticSanVolumeGroup -ResourceGroupName myRGName -ElasticSanName mySANName -VolumeGroupName myVolGroupName).NetworkAclsVirtualNetworkRule) | Remove-AzElasticSanVolumeGroupNetworkRule -ResourceGroupName myRGName -ElasticSanName mySANName -VolumeGroupName myVolGroupName
Add a network rule for a virtual network and subnet.
Tip
To add a rule for a subnet in a virtual network belonging to another Azure AD tenant, use a fully-qualified subnet ID in the form /subscriptions/\<subscription-ID\>/resourceGroups/\<resourceGroup-Name\>/providers/Microsoft.Network/virtualNetworks/\<vNet-name\>/subnets/\<subnet-name\>.
You can use the subscription parameter to retrieve the subnet ID for a virtual network belonging to another Azure AD tenant.
# First, get the current length of the list of virtual networks. This is needed to ensure you append a new network instead of replacing existing ones.
virtualNetworkListLength = az elastic-san volume-group show -e $sanName -n $volumeGroupName -g $resourceGroupName --query 'length(networkAcls.virtualNetworkRules)'
az elastic-san volume-group update -e $sanName -g $resourceGroupName --name $volumeGroupName --network-acls virtual-network-rules[$virtualNetworkListLength] "{virtualNetworkRules:[{id:/subscriptions/subscriptionID/resourceGroups/RGName/providers/Microsoft.Network/virtualNetworks/vnetName/subnets/default, action:Allow}]}"
Remove a network rule. The following command removes the first network rule, modify it to remove the network rule you'd like.