You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/common/storage-network-security.md
+9-6Lines changed: 9 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ services: storage
5
5
author: jimmart-dev
6
6
ms.service: storage
7
7
ms.topic: how-to
8
-
ms.date: 04/10/2023
8
+
ms.date: 04/20/2023
9
9
ms.author: jammart
10
10
ms.reviewer: santoshc
11
11
ms.subservice: common
@@ -125,7 +125,7 @@ By default, storage accounts accept connections from clients on any network. You
125
125
126
126
## Grant access from a virtual network
127
127
128
-
You can configure storage accounts to allow access only from specific subnets. The allowed subnets may belong to a VNet in the same subscription, or those in a different subscription, including subscriptions belonging to a different Azure Active Directory tenant.
128
+
You can configure storage accounts to allow access only from specific subnets. The allowed subnets may belong to a VNet in the same subscription or a different subscription, including those belonging to a different Azure Active Directory tenant. With global service endpoints, the allowed subnets can also be in different regions from the storage account.
129
129
130
130
You can enable a [Service endpoint](../../virtual-network/virtual-network-service-endpoints-overview.md) for Azure Storage within the VNet. The service endpoint routes traffic from the VNet through an optimal path to the Azure Storage service. The identities of the subnet and the virtual network are also transmitted with each request. Administrators can then configure network rules for the storage account that allow requests to be received from specific subnets in a VNet. Clients granted access via these network rules must continue to meet the authorization requirements of the storage account to access the data.
131
131
@@ -145,21 +145,24 @@ Storage account and the virtual networks granted access may be in different subs
145
145
146
146
### Available virtual network regions
147
147
148
-
Service endpoints for Azure Storage work between virtual networks and service instances in any region.
148
+
Service endpoints for Azure Storage work between virtual networks and storage service instances in any region.
149
149
150
150
Configuring service endpoints between virtual networks and service instances in a [paired region](../../best-practices-availability-paired-regions.md) can be an important part of your disaster recovery plan. Service endpoints allow continuity during a regional failover and access to read-only geo-redundant storage (RA-GRS) instances. Network rules that grant access from a virtual network to a storage account also grant access to any RA-GRS instance.
151
151
152
152
When planning for disaster recovery during a regional outage, you should create the VNets in the paired region in advance. Enable service endpoints for Azure Storage, with network rules granting access from these alternative virtual networks. Then apply these rules to your geo-redundant storage accounts.
153
153
154
154
#### Azure Storage global service endpoints
155
155
156
-
Global service endpoints for Azure became generally available in April of 2023. With global service endpoints, subnets will no longer use a public IP address to communicate with any storage account. Instead, all the traffic from subnets to storage accounts will use a private IP address as a source IP. As a result, any storage accounts that use IP network rules to permit traffic from those subnets will no longer have an effect.
156
+
Global service endpoints for Azure became generally available in April of 2023. With global service endpoints, subnets will no longer use a public IP address to communicate with any storage account, including those in another region. Instead, all the traffic from subnets to storage accounts will use a private IP address as a source IP. As a result, any storage accounts that use IP network rules to permit traffic from those subnets will no longer have an effect.
157
157
158
-
To use global service endpoints, it might be necessary to delete existing **Microsoft.Storage** endpoints and recreate them as global (**Microsoft.Storage.Global**).
158
+
> [!IMPORTANT]
159
+
> Local and global service endpoints cannot coexist on the same subnet.
160
+
>
161
+
> To replace existing service endpoints with global ones, delete the existing **Microsoft.Storage** endpoints and recreate them as global endpoints (**Microsoft.Storage.Global**).
159
162
160
163
### Managing virtual network rules
161
164
162
-
You can manage virtual network rules for storage accounts through the Azure portal, PowerShell, or CLIv2.
165
+
You can manage virtual network rules for storage accounts through the Azure portal, PowerShell, or CLIv2.
163
166
164
167
> [!NOTE]
165
168
> If you want to enable access to your storage account from a virtual network/subnet in another Azure AD tenant, you must use PowerShell or the Azure CLI. The Azure portal does not show subnets in other Azure AD tenants.
0 commit comments