You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 1.0.0 or later. Run `Get-Module -ListAvailable Az` to find the installed version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-azure-powershell). If you are running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.
48
+
If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 1.0.0 or later. Run `Get-Module -ListAvailable Az` to find the installed version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-azure-powershell). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.
49
49
50
50
### [CLI](#tab/cli)
51
51
@@ -73,7 +73,7 @@ Service endpoints are enabled per service, per subnet.
73
73
74
74
1. Select **+ Subnet**.
75
75
76
-
1. On the **Add subnet** page, enter or select the following information:
76
+
1. On the **Add subnet** page, enter, or select the following information:
77
77
78
78
| Setting | Value |
79
79
| --- | --- |
@@ -130,7 +130,7 @@ Service endpoints are enabled per service, per subnet.
130
130
$virtualNetwork | Set-AzVirtualNetwork
131
131
```
132
132
133
-
1. Create an additional subnet in the virtual network. In this example, a subnet named *subnet-private* is created with a service endpoint for *Microsoft.Storage*:
133
+
1. Create another subnet in the virtual network. In this example, a subnet named *subnet-private* is created with a service endpoint for *Microsoft.Storage*:
134
134
135
135
```azurepowershell-interactive
136
136
$subpriv = @{
@@ -181,7 +181,7 @@ Azure Bastion uses your browser to connect to VMs in your virtual network over S
181
181
New-AzPublicIpAddress @ip
182
182
```
183
183
184
-
1. Use the [New-AzBastion](/powershell/module/az.network/new-azbastion) command to create a new Standard SKU Bastion host in **AzureBastionSubnet**:
184
+
1. Use the [New-AzBastion](/powershell/module/az.network/new-azbastion) command to create a new standard Bastion host in **AzureBastionSubnet**:
185
185
186
186
```azurepowershell-interactive
187
187
$bastion = @{
@@ -252,7 +252,7 @@ By default, all virtual machine instances in a subnet can communicate with any r
252
252
253
253
1. In **Network security groups**, select **+ Create**.
254
254
255
-
1. In the **Basics** tab of **Create network security group**, enter or select the following information:
255
+
1. In the **Basics** tab of **Create network security group**, enter, or select the following information:
256
256
257
257
| Setting | Value |
258
258
| ------- | ----- |
@@ -290,7 +290,7 @@ az network nsg create \
290
290
291
291
---
292
292
293
-
### Create outbound NSG rules
293
+
### Create outbound Network Security Group (NSG) rules
294
294
295
295
### [Portal](#tab/portal)
296
296
@@ -312,7 +312,7 @@ az network nsg create \
312
312
| Destination | Select **Service Tag**. |
313
313
| Destination service tag | Select **Storage**. |
314
314
| Service | Leave default of **Custom**. |
315
-
| Destination port ranges | Enter **445**. </br> SMB protocol is used to connect to a file share created in a later step. |
315
+
| Destination port ranges | Enter **445**. |
316
316
| Protocol | Select **Any**. |
317
317
| Action | Select **Allow**. |
318
318
| Priority | Leave the default of **100**. |
@@ -530,7 +530,7 @@ The steps required to restrict network access to resources created through Azure
530
530
531
531
For more information about connecting to a storage account using a managed identity, see [Use a managed identity to access Azure Storage](/entra/identity/managed-identities-azure-resources/tutorial-linux-managed-identities-vm-access?pivots=identity-linux-mi-vm-access-storage).
532
532
533
-
The key is used to create a file share in a later step. Enter `$storageAcctKey` and note the value, as you'll also need to manually enter it in a later step when you map the file share to a drive in a VM.
533
+
The key is used to create a file share in a later step. Enter `$storageAcctKey` and note the value. You manually enter it in a later step when you map the file share to a drive in a virtual machine.
534
534
535
535
### [CLI](#tab/cli)
536
536
@@ -662,7 +662,7 @@ To restrict network access to a subnet:
662
662
663
663
### [PowerShell](#tab/powershell)
664
664
665
-
1. By default, storage accounts accept network connections from clients in any network. To limit access to selected networks, change the default action to *Deny* with [Update-AzStorageAccountNetworkRuleSet](/powershell/module/az.storage/update-azstorageaccountnetworkruleset). Once network access is denied, the storage account is not accessible from any network.
665
+
1. By default, storage accounts accept network connections from clients in any network. To limit access to selected networks, change the default action to *Deny* with [Update-AzStorageAccountNetworkRuleSet](/powershell/module/az.storage/update-azstorageaccountnetworkruleset). Once network access is denied, the storage account isn't accessible from any network.
666
666
667
667
```azurepowershell-interactive
668
668
$storagerule = @{
@@ -727,7 +727,7 @@ To test network access to a storage account, deploy a virtual machine to each su
727
727
728
728
### Create the second virtual machine
729
729
730
-
1. Repeat the steps in the previous section to create a second virtual machine. Replace the following values in **Create a virtual machine**:
730
+
1. Create a second virtual machine repeating the steps in the previous section. Replace the following values in **Create a virtual machine**:
731
731
732
732
| Setting | Value |
733
733
| ------- | ----- |
@@ -743,7 +743,7 @@ To test network access to a storage account, deploy a virtual machine to each su
743
743
744
744
### Create the first virtual machine
745
745
746
-
Create a virtual machine in the *subnet-public* subnet with [New-AzVM](/powershell/module/az.compute/new-azvm). When running the command that follows, you are prompted for credentials. The values that you enter are configured as the user name and password for the VM.
746
+
Create a virtual machine in the *subnet-public* subnet with [New-AzVM](/powershell/module/az.compute/new-azvm). When running the command that follows, you're prompted for credentials. The values that you enter are configured as the user name and password for the VM.
747
747
748
748
```azurepowershell-interactive
749
749
$vm1 = @{
@@ -773,7 +773,7 @@ $vm2 = @{
773
773
New-AzVm @vm2
774
774
```
775
775
776
-
It takes a few minutes for Azure to create the VM. Do not continue to the next step until Azure finishes creating the VM and returns output to PowerShell.
776
+
It takes a few minutes for Azure to create the VM. Don't continue to the next step until Azure finishes creating the VM and returns output to PowerShell.
777
777
778
778
### [CLI](#tab/cli)
779
779
@@ -840,7 +840,7 @@ The virtual machine you created earlier that is assigned to the **subnet-private
840
840
841
841
1. In **Security + networking**, select **Access keys**.
842
842
843
-
1. Copy the value of **key1**. You may need to select the **Show** button to display the key.
843
+
1. Copy the value of **key1**. You might need to select the **Show** button to display the key.
844
844
845
845
:::image type="content" source="./media/tutorial-restrict-network-access-to-resources/storage-account-access-key.png" alt-text="Screenshot of storage account access key.":::
846
846
@@ -904,7 +904,7 @@ The virtual machine you created earlier that is assigned to the **subnet-private
904
904
905
905
1. In **Security + networking**, select **Access keys**.
906
906
907
-
1. Copy the value of **key1**. You may need to select the **Show** button to display the key.
907
+
1. Copy the value of **key1**. You might need to select the **Show** button to display the key.
908
908
909
909
:::image type="content" source="./media/tutorial-restrict-network-access-to-resources/storage-account-access-key.png" alt-text="Screenshot of storage account access key.":::
910
910
@@ -958,7 +958,7 @@ The virtual machine you created earlier that is assigned to the **subnet-private
958
958
ping bing.com
959
959
```
960
960
961
-
You receive no replies, because the network security group associated to the *Private* subnet does not allow outbound access to public IP addresses other than the addresses assigned to the Azure Storage service.
961
+
You receive no replies, because the network security group associated to the *Private* subnet doesn't allow outbound access to public IP addresses other than the addresses assigned to the Azure Storage service.
962
962
963
963
1. Close the Bastion connection to **vm-private**.
964
964
@@ -1014,7 +1014,7 @@ SSH into the *vm-private* VM.
1014
1014
1015
1015
1. Enter the username and password you specified when creating the virtual machine. Select **Connect**.
1016
1016
1017
-
1. Repeat the previous command to attempt to map the drive to the file share in the storage account. You may need to copy the storage account access key again for this procedure:
1017
+
1. Repeat the previous command to attempt to map the drive to the file share in the storage account. You might need to copy the storage account access key again for this procedure:
1018
1018
1019
1019
```powershell
1020
1020
$key = @{
@@ -1080,7 +1080,7 @@ SSH into the *vm-private* VM.
1080
1080
1081
1081
1. Enter the username and password you specified when creating the virtual machine. Select **Connect**.
1082
1082
1083
-
1. Repeat the previous command to attempt to map the drive to the file share in the storage account. You may need to copy the storage account access key again for this procedure:
1083
+
1. Repeat the previous command to attempt to map the drive to the file share in the storage account. You might need to copy the storage account access key again for this procedure:
1084
1084
1085
1085
```powershell
1086
1086
$key = @{
@@ -1125,7 +1125,12 @@ SSH into the *vm-private* VM.
1125
1125
Get-AzStorageFile @storage
1126
1126
```
1127
1127
1128
-
Access is denied, and you receive a *Get-AzStorageFile : The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 - HTTP Error Message: This request is not authorized to perform this operation* error, because your computer is not in the *subnet-private* subnet of the *vnet-1* virtual network.
1128
+
Access is denied. You receive an output similar to the following example.
1129
+
1130
+
```output
1131
+
Get-AzStorageFile : The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 - HTTP Error Message: This request isn't authorized to perform this operation
1132
+
```
1133
+
Your computer isn't in the *subnet-private* subnet of the *vnet-1* virtual network.
1129
1134
1130
1135
### [CLI](#tab/cli)
1131
1136
@@ -1209,7 +1214,7 @@ In this tutorial:
1209
1214
1210
1215
To learn more about service endpoints, see [Service endpoints overview](virtual-network-service-endpoints-overview.md) and [Manage subnets](virtual-network-manage-subnet.md).
1211
1216
1212
-
If you have multiple virtual networks in your account, you may want to establish connectivity between them so that resources can communicate with each other. To learn how to connect virtual networks, advance to the next tutorial.
1217
+
If you have multiple virtual networks in your account, you might want to establish connectivity between them so that resources can communicate with each other. To learn how to connect virtual networks, advance to the next tutorial.
0 commit comments