You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/common/storage-network-security-overview.md
+19-45Lines changed: 19 additions & 45 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,13 +19,31 @@ Introduction. Mention that folks will still need to authorize to use data.
19
19
20
20
Azure Storage provides a layered security model. This model enables you to control the level of access to your storage accounts that your applications and enterprise environments demand, based on the type and subset of networks or resources that you use.
21
21
22
+
### About virtual network endpoints
23
+
24
+
There are two types of virtual network endpoints for storage accounts:
25
+
26
+
-[Virtual Network service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md)
Virtual network service endpoints are public and accessible via the internet. The Azure Storage firewall provides the ability to control access to your storage account over such public endpoints. When you disable public network access to your storage account, all incoming requests for data are blocked by default. Only applications that request data from allowed sources that you configure in your storage account firewall settings will be able to access your data. Sources can include the source IP address or virtual network subnet of a client, or an Azure service or resource instance through which clients or services access your data. Requests that are blocked include those from other Azure services, from the Azure portal, and from logging and metrics services, unless you explicitly allow access in your firewall configuration.
30
+
31
+
A private endpoint uses a private IP address from your virtual network to access a storage account over the Microsoft backbone network. With a private endpoint, traffic between your virtual network and the storage account are secured over a private link. Storage firewall rules only apply to the public endpoints of a storage account, not private endpoints. The process of approving the creation of a private endpoint grants implicit access to traffic from the subnet that hosts the private endpoint. You can use [Network Policies](../../private-link/disable-private-endpoint-network-policy.md) to control traffic over private endpoints if you want to refine access rules. If you want to use private endpoints exclusively, you can use the firewall to block all access through the public endpoint.
32
+
33
+
To help you decide when to use each type of endpoint in your environment, see [Compare Private Endpoints and Service Endpoints](../../virtual-network/vnet-integration-for-azure-services.md#compare-private-endpoints-and-service-endpoints).
34
+
22
35
## General approach
23
36
37
+
To secure your storage account and build a secure network boundary for your applications:
38
+
24
39
- Enable secure transfer first.
25
-
- Where possible use a private endpoint. Here's why.
40
+
- Disable public network access to the storage account. This disables traffic to the public endpoint of your account.
41
+
- Where possible, configure private links to your storage account from private endpoints on virtual network subnets where the clients reside that require access to your data.
26
42
- If traffic is needed over a public endpoint, limit by setting network rules - or set up a network security perimeter.
27
43
- Finally, you can tighten up security by using a copy protection scope.
28
44
45
+
After you apply network rules, they're enforced for all requests. SAS tokens that grant access to a specific IP address serve to limit the access of the token holder, but they don't grant new access beyond configured network rules.
46
+
29
47
## Transport Layer security
30
48
31
49
Put something here.
@@ -60,50 +78,6 @@ When you configure a blob container for anonymous public access, requests to rea
60
78
61
79
An application that accesses a storage account when network rules are in effect still requires proper authorization for the request. Authorization is supported with Microsoft Entra credentials for blobs, tables, file shares and queues, with a valid account access key, or with a shared access signature (SAS) token. When you configure a blob container for anonymous access, requests to read data in that container don't need to be authorized. The firewall rules remain in effect and will block anonymous traffic.
62
80
63
-
64
-
## Stuff from original article
65
-
66
-
## Scenarios
67
-
68
-
> [!IMPORTANT]
69
-
> Azure Storage firewall rules only apply to [data plane](../../azure-resource-manager/management/control-plane-and-data-plane.md#data-plane) operations. [Control plane](../../azure-resource-manager/management/control-plane-and-data-plane.md#control-plane) operations are not subject to the restrictions specified in firewall rules.
70
-
>
71
-
> Some operations, such as blob container operations, can be performed through both the control plane and the data plane. So if you attempt to perform an operation such as listing containers from the Azure portal, the operation will succeed unless it is blocked by another mechanism. Attempts to access blob data from an application such as Azure Storage Explorer are controlled by the firewall restrictions.
72
-
>
73
-
> For a list of data plane operations, see the [Azure Storage REST API Reference](/rest/api/storageservices/).
74
-
> For a list of control plane operations, see the [Azure Storage Resource Provider REST API Reference](/rest/api/storagerp/).
75
-
76
-
### About virtual network endpoints
77
-
78
-
There are two types of virtual network endpoints for storage accounts:
79
-
80
-
-[Virtual Network service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md)
Virtual network service endpoints are public and accessible via the internet. The Azure Storage firewall provides the ability to control access to your storage account over such public endpoints. When you disable public network access to your storage account, all incoming requests for data are blocked by default. Only applications that request data from allowed sources that you configure in your storage account firewall settings will be able to access your data. Sources can include the source IP address or virtual network subnet of a client, or an Azure service or resource instance through which clients or services access your data. Requests that are blocked include those from other Azure services, from the Azure portal, and from logging and metrics services, unless you explicitly allow access in your firewall configuration.
84
-
85
-
A private endpoint uses a private IP address from your virtual network to access a storage account over the Microsoft backbone network. With a private endpoint, traffic between your virtual network and the storage account are secured over a private link. Storage firewall rules only apply to the public endpoints of a storage account, not private endpoints. The process of approving the creation of a private endpoint grants implicit access to traffic from the subnet that hosts the private endpoint. You can use [Network Policies](../../private-link/disable-private-endpoint-network-policy.md) to control traffic over private endpoints if you want to refine access rules. If you want to use private endpoints exclusively, you can use the firewall to block all access through the public endpoint.
86
-
87
-
To help you decide when to use each type of endpoint in your environment, see [Compare Private Endpoints and Service Endpoints](../../virtual-network/vnet-integration-for-azure-services.md#compare-private-endpoints-and-service-endpoints).
88
-
89
-
### How to approach network security for your storage account
90
-
91
-
To secure your storage account and build a secure network boundary for your applications:
92
-
93
-
1. Start by disabling all public network access for the storage account under the **Public network access** setting in the storage account firewall.
94
-
1. Where possible, configure private links to your storage account from private endpoints on virtual network subnets where the clients reside that require access to your data.
95
-
1. If client applications require access over the public endpoints, change the **Public network access** setting to **Enabled from selected virtual networks and IP addresses**. Then, as needed:
96
-
97
-
1. Specify the virtual network subnets from which you want to allow access.
98
-
1. Specify the public IP address ranges of clients from which you want to allow access, such as those on on-premises networks.
99
-
1. Allow access from selected Azure resource instances.
100
-
1. Add exceptions to allow access from trusted services required for operations such as backing up data.
101
-
1. Add exceptions for logging and metrics.
102
-
103
-
After you apply network rules, they're enforced for all requests. SAS tokens that grant access to a specific IP address serve to limit the access of the token holder, but they don't grant new access beyond configured network rules.
104
-
105
-
106
-
107
81
## Next steps
108
82
109
83
- Learn more about [Azure network service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md).
0 commit comments