Редагувати

Поділитися через


Create and associate service endpoint policies

Service endpoint policies enable you to filter virtual network traffic to specific Azure resources, over service endpoints. If you're not familiar with service endpoint policies, see service endpoint policies overview to learn more.

In this tutorial, you learn how to:

  • Create a virtual network.
  • Add a subnet and enable service endpoint for Azure Storage.
  • Create two Azure Storage accounts and allow network access to it from the subnet in the virtual network.
  • Create a service endpoint policy to allow access only to one of the storage accounts.
  • Deploy a virtual machine (VM) to the subnet.
  • Confirm access to the allowed storage account from the subnet.
  • Confirm access is denied to the nonallowed storage account from the subnet.

Prerequisites

Create a virtual network and enable service endpoint

Create a virtual network to contain the resources you create in this tutorial.

  1. In the search box in the portal, enter Virtual networks. Select Virtual networks in the search results.

  2. Select + Create to create a new virtual network.

  3. Enter or select the following information in the Basics tab of Create virtual network.

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select Create new.
    Enter test-rg in Name.
    Select OK.
    Name Enter vnet-1.
    Region Select West US 2.
  4. Select Next.

  5. Select Next.

  6. In the IP addresses tab, in Subnets, select the default subnet.

  7. Enter or select the following information in Edit subnet.

    Setting Value
    Name Enter subnet-1.
    Service Endpoints
    Services
    In the pull-down menu, select Microsoft.Storage.
  8. Select Save.

  9. Select Review + Create.

  10. Select Create.

Restrict network access for the subnet

Create a network security group and rules that restrict network access for the subnet.

Create a network security group

  1. In the search box in the portal, enter Network security groups. Select Network security groups in the search results.

  2. Select + Create to create a new network security group.

  3. In the Basics tab of Create network security group, enter, or select the following information.

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg.
    Name Enter nsg-1.
    Region Select West US 2.
  4. Select Review + Create.

  5. Select Create.

Create network security group rules

  1. In the search box in the portal, enter Network security groups. Select Network security groups in the search results.

  2. Select nsg-1.

  3. Expand Settings. Select Outbound security rules.

  4. Select + Add to add a new outbound security rule.

  5. In Add outbound security rule, enter or select the following information.

    Setting Value
    Source Select Service Tag.
    Source service tag Select VirtualNetwork.
    Source port ranges Enter *.
    Destination Select Service Tag.
    Destination service tag Select Storage.
    Service Select Custom.
    Destination port ranges Enter *.
    Protocol Select Any.
    Action Select Allow.
    Priority Enter 100.
    Name Enter allow-storage-all.
  6. Select Add.

  7. Select + Add to add another outbound security rule.

  8. In Add outbound security rule, enter or select the following information.

    Setting Value
    Source Select Service Tag.
    Source service tag Select VirtualNetwork.
    Source port ranges Enter *.
    Destination Select Service Tag.
    Destination service tag Select Internet.
    Service Select Custom.
    Destination port ranges Enter *.
    Protocol Select Any.
    Action Select Deny.
    Priority Enter 110.
    Name Enter deny-internet-all.
  9. Select Add.

  10. Expand Settings. Select Subnets.

  11. Select Associate.

  12. In Associate subnet, enter or select the following information.

    Setting Value
    Virtual network Select vnet-1 (test-rg).
    Subnet Select subnet-1.
  13. Select OK.

Restrict network access to Azure Storage accounts

The steps necessary to restrict network access to resources created through Azure services enabled for service endpoints varies across services. See the documentation for individual services for specific steps for each service. The remainder of this article includes steps to restrict network access for an Azure Storage account, as an example.

Create two storage accounts

  1. In the search box in the portal, enter Storage accounts. Select Storage accounts in the search results.

  2. Select + Create to create a new storage account.

  3. In Create a storage account, enter or select the following information.

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg.
    Instance details
    Storage account name Enter allowedaccount(random-number).
    Note: The storage account name must be unique. Add a random number to the end of the name allowedaccount.
    Region Select West US 2.
    Performance Select Standard.
    Redundancy Select Locally-redundant storage (LRS).
  4. Select Next until you reach the Data protection tab.

  5. In Recovery, deselect all of the options.

  6. Select Review + Create.

  7. Select Create.

  8. Repeat the previous steps to create another storage account with the following information.

    Setting Value
    Storage account name Enter deniedaccount(random-number).

Create file shares

  1. In the search box in the portal, enter Storage accounts. Select Storage accounts in the search results.

  2. Select allowedaccount(random-number).

  3. Expand the Data storage section and select File shares.

  4. Select + File share.

  5. In New file share, enter or select the following information.

    Setting Value
    Name Enter file-share.
  6. Leave the rest of the settings as default and select Review + create.

  7. Select Create.

  8. Repeat the previous steps to create a file share in deniedaccount(random-number).

Deny all network access to storage accounts

By default, storage accounts accept network connections from clients in any network. To restrict network access to the storage accounts, you can configure the storage account to accept connections only from specific networks. In this example, you configure the storage account to accept connections only from the virtual network subnet you created earlier.

  1. In the search box in the portal, enter Storage accounts. Select Storage accounts in the search results.

  2. Select allowedaccount(random-number).

  3. Expand Security + networking and select Networking.

  4. In Firewalls and virtual networks, in Public network access, select Enabled from selected virtual networks and IP addresses.

  5. In Virtual networks, select + Add existing virtual network.

  6. In Add networks, enter or select the following information.

    Setting Value
    Subscription Select your subscription.
    Virtual networks Select vnet-1.
    Subnets Select subnet-1.
  7. Select Add.

  8. Select Save.

  9. Repeat the previous steps to deny network access to deniedaccount(random-number).

Apply policy to allow access to valid storage account

You can create a service endpoint policy. The policy ensures users in the virtual network can only access safe and allowed Azure Storage accounts. This policy contains a list of allowed storage accounts applied to the virtual network subnet that is connected to storage via service endpoints.

Create a service endpoint policy

This section creates the policy definition with the list of allowed resources for access over service endpoint.

  1. In the search box in the portal, enter Service endpoint policy. Select Service endpoint policies in the search results.

  2. Select + Create to create a new service endpoint policy.

  3. Enter or select the following information in the Basics tab of Create a service endpoint policy.

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg.
    Instance details
    Name Enter service-endpoint-policy.
    Location Select West US 2.
  4. Select Next: Policy definitions.

  5. Select + Add a resource in Resources.

  6. In Add a resource, enter or select the following information:

    Setting Value
    Service Select Microsoft.Storage.
    Scope Select Single account
    Subscription Select your subscription.
    Resource group Select test-rg.
    Resource Select allowedaccount(random-number)
  7. Select Add.

  8. Select Review + Create.

  9. Select Create.

Associate a service endpoint policy to a subnet

After creating the service endpoint policy, you'll associate it with the target subnet with the service endpoint configuration for Azure Storage.

  1. In the search box in the portal, enter Service endpoint policy. Select Service endpoint policies in the search results.

  2. Select service-endpoint-policy.

  3. Expand Settings and select Associated subnets.

  4. Select + Edit subnet association.

  5. In Edit subnet association, select vnet-1 and subnet-1.

  6. Select Apply.

Warning

Ensure that all the resources accessed from the subnet are added to the policy definition before associating the policy to the given subnet. Once the policy is associated, only access to the allow listed resources will be allowed over service endpoints.

Ensure that no managed Azure services exist in the subnet that is being associated to the service endpoint policy.

Access to Azure Storage resources in all regions will be restricted as per Service Endpoint Policy from this subnet.

Validate access restriction to Azure Storage accounts

To test network access to a storage account, deploy a VM in the subnet.

Deploy the virtual machine

  1. In the search box in the portal, enter Virtual machines. Select Virtual machines in the search results.

  2. In the Basics tab of Create a virtual machine, enter, or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg.
    Instance details
    Virtual machine name Enter vm-1.
    Region Select (US) West US 2.
    Availability options Select No infrastructure redundancy required.
    Security type Select Standard.
    Image Select Windows Server 2022 Datacenter - x64 Gen2.
    Size Select a size.
    Administrator account
    Username Enter a username.
    Password Enter a password.
    Confirm password Enter the password again.
    Inbound port rules
  3. Select Next: Disks, then select Next: Networking.

  4. In the Networking tab, enter or select the following information.

    Setting Value
    Network interface
    Virtual network Select vnet-1.
    Subnet Select subnet-1 (10.0.0.0/24).
    Public IP Select None.
    NIC network security group Select None.
  5. Leave the rest of the settings as default and select Review + Create.

  6. Select Create.

Wait for the virtual machine to finish deploying before continuing on to the next steps.

Confirm access to the allowed storage account

  1. Sign-in to the Azure portal.

  2. In the search box in the portal, enter Storage accounts. Select Storage accounts in the search results.

  3. Select allowedaccount(random-number).

  4. Expand Security + networking and select Access keys.

  5. Copy the key1 value. You use this key to map a drive to the storage account from the virtual machine you created earlier.

  6. In the search box in the portal, enter Virtual machines. Select Virtual machines in the search results.

  7. Select vm-1.

  8. Expand Operations. Select Run command.

  9. Select RunPowerShellScript.

  10. Paste the following script in Run Command Script.

    ## Enter the storage account key for the allowed storage account that you recorded earlier.
    $storageAcctKey1 = (pasted from procedure above)
    $acctKey = ConvertTo-SecureString -String $storageAcctKey1 -AsPlainText -Force
    ## Replace the login account with the name of the storage account you created.
    $credential = New-Object System.Management.Automation.PSCredential -ArgumentList ("Azure\allowedaccount"), $acctKey
    ## Replace the storage account name with the name of the storage account you created.
    New-PSDrive -Name Z -PSProvider FileSystem -Root "\\allowedaccount.file.core.windows.net\file-share" -Credential $credential
    
  11. Select Run.

  12. If the drive map is successful, the output in the Output box looks similar to the following example:

    Name           Used (GB)     Free (GB) Provider      Root
    ----           ---------     --------- --------      ----
    Z                                      FileSystem    \\allowedaccount.file.core.windows.net\fil..
    

Confirm access is denied to the denied storage account

  1. In the search box in the portal, enter Storage accounts. Select Storage accounts in the search results.

  2. Select deniedaccount(random-number).

  3. Expand Security + networking and select Access keys.

  4. Copy the key1 value. You use this key to map a drive to the storage account from the virtual machine you created earlier.

  5. In the search box in the portal, enter Virtual machines. Select Virtual machines in the search results.

  6. Select vm-1.

  7. Expand Operations. Select Run command.

  8. Select RunPowerShellScript.

  9. Paste the following script in Run Command Script.

    ## Enter the storage account key for the denied storage account that you recorded earlier.
    $storageAcctKey2 = (pasted from procedure above)
    $acctKey = ConvertTo-SecureString -String $storageAcctKey2 -AsPlainText -Force
    ## Replace the login account with the name of the storage account you created.
    $credential = New-Object System.Management.Automation.PSCredential -ArgumentList ("Azure\deniedaccount"), $acctKey
    ## Replace the storage account name with the name of the storage account you created.
    New-PSDrive -Name Z -PSProvider FileSystem -Root "\\deniedaccount.file.core.windows.net\file-share" -Credential $credential
    
  10. Select Run.

  11. You receive the following error message in the Output box:

    New-PSDrive : Access is denied
    At line:1 char:1
    + New-PSDrive -Name Z -PSProvider FileSystem -Root "\\deniedaccount8675 ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Z:PSDriveInfo) [New-PSDrive], Win32Exception
    + FullyQualifiedErrorId : CouldNotMapNetworkDrive,Microsoft.PowerShell.Commands.NewPSDriveCommand
    
  12. The drive map is denied because of the service endpoint policy that restricts access to the storage account.

When you finish using the resources that you created, you can delete the resource group and all its resources.

  1. In the Azure portal, search for and select Resource groups.

  2. On the Resource groups page, select the test-rg resource group.

  3. On the test-rg page, select Delete resource group.

  4. Enter test-rg in Enter resource group name to confirm deletion, and then select Delete.

Next steps

In this tutorial, you created a service endpoint policy and associated it to a subnet. To learn more about service endpoint policies, see service endpoint policies overview.