Azure Storage Networking

Introduction

Azure Storage provides robust networking capabilities to control how clients can access your storage accounts. This allows you to secure your data by restricting access to specific networks or IP addresses, or by enabling private endpoints for secure, private connectivity.

Network Access Control

You can manage network access to your storage account through the Azure portal, PowerShell, Azure CLI, or REST API. Key features include:

  • Firewall and Virtual Networks: Configure your storage account to allow access only from selected networks, public IP addresses, or Azure services.
  • Public Endpoint: By default, storage accounts are accessible via public endpoints over the internet.
  • Private Endpoint: Create a private endpoint to provide secure, private access to your storage account directly from your Azure Virtual Network (VNet) without exposing it to the public internet.

Firewall Configuration

When configuring the firewall, you can:

  • Allow access from:
    • All networks: The default setting, allowing access from anywhere.
    • Selected networks: Specify IP address ranges or virtual networks that are allowed to access the storage account.
  • Bypass Azure Storage firewall for specific virtual networks and IP addresses: Configure exceptions for trusted services or on-premises networks.

For example, to allow access from a specific IP address range, you would navigate to your storage account in the Azure portal, go to 'Networking' under 'Security + networking', and add the desired IP range under the 'Firewalls and virtual networks' tab.

// Example Azure CLI command to add an IP range
az storage account update \
    --name mystorageaccount \
    --resource-group myresourcegroup \
    --set networkAcls.defaultAction='Deny' \
    --add networkAcls.bypass='AzureServices' \
    --add networkAcls.ipRules='203.0.113.0/24'

Private Endpoints

A private endpoint provides a specific IP address from your VNet into Azure Storage, making the service data discoverable and accessible through the private endpoint. Traffic between your VNet and the storage account travels over the Microsoft backbone network, eliminating exposure to the public internet.

Note: Private endpoints are the recommended approach for securing Azure Storage network access when clients reside within an Azure Virtual Network or on-premises networks connected via VPN or ExpressRoute.

Key benefits of using private endpoints:

  • Securely connect to Azure Storage from your VNet.
  • Minimize data exposure from the public internet.
  • Use private IP addresses from your VNet.
  • Access storage accounts via private DNS zones.

Service Endpoints

Azure Storage service endpoints allow you to secure your storage account by restricting access to trusted Azure Virtual Networks. When enabled, traffic from your VNet to the storage account is routed directly over the Azure backbone network, bypassing public internet gateways.

You can enable service endpoints for a subnet in your VNet, and then configure your storage account's firewall to allow access from that subnet. This offers a more granular control than allowing access from entire virtual networks.

Azure Private Link

Azure Private Link is the foundational technology for Azure Private Endpoints. It provides private connectivity to Azure services hosted on Azure. With Private Link, you can access Azure Storage (and other Azure services like Azure SQL Database, Azure Cosmos DB, etc.) securely and privately.

Ready to secure your Azure Storage data? Explore the detailed guides and best practices for Azure Storage networking.

Configure Storage Firewall Use Private Endpoints