You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
description: Learn about the restrictions and limitations for Azure Storage firewall configuration.
4
4
services: storage
5
5
author: normesta
6
6
ms.service: azure-storage
@@ -11,16 +11,22 @@ ms.author: normesta
11
11
12
12
---
13
13
14
-
# Restrictions and limitations for Azure Storage firewall and virtual network configuration
14
+
# Guidelines and limitations for the Azure Storage firewall
15
15
16
16
Before you implement network security for your storage accounts, review the important restrictions and considerations discussed in this section.
17
17
18
-
## General restrictions and considerations
18
+
## General guidelines and limitations
19
19
20
20
- Azure Storage firewall rules apply only to [data plane](../../azure-resource-manager/management/control-plane-and-data-plane.md#data-plane) operations. [Control plane](../../azure-resource-manager/management/control-plane-and-data-plane.md#control-plane) operations are not subject to the restrictions specified in firewall rules.
21
21
22
22
- To access data by using tools such as the Azure portal, Azure Storage Explorer, and AzCopy, you must be on a machine within the trusted boundary that you establish when configuring network security rules.
23
23
24
+
Some operations, such as blob container operations, can be performed through both the control plane and the data plane. So if you attempt to perform an operation such as listing containers from the Azure portal, the operation will succeed unless it is blocked by another mechanism. Attempts to access blob data from an application such as Azure Storage Explorer are controlled by the firewall restrictions.
25
+
26
+
For a list of data plane operations, see the [Azure Storage REST API Reference](/rest/api/storageservices/).
27
+
28
+
For a list of control plane operations, see the [Azure Storage Resource Provider REST API Reference](/rest/api/storagerp/).
29
+
24
30
- Network rules are enforced on all network protocols for Azure Storage, including REST and SMB.
25
31
26
32
- Network rules don't affect virtual machine (VM) disk traffic, including mount and unmount operations and disk I/O, but they do help protect REST access to page blobs.
Copy file name to clipboardExpand all lines: articles/storage/common/storage-network-security-overview.md
+36-14Lines changed: 36 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,30 +13,58 @@ ms.author: normesta
13
13
14
14
# Azure Storage network security overview
15
15
16
+
Introduction. Mention that folks will still need to authorize to use data.
17
+
18
+
## Relevant conceptual material
19
+
16
20
Azure Storage provides a layered security model. This model enables you to control the level of access to your storage accounts that your applications and enterprise environments demand, based on the type and subset of networks or resources that you use.
17
21
18
-
When you configure network rules, only applications that request data over the specified set of networks or through the specified set of Azure resources can access a storage account. You can limit access to your storage account to requests that come from specified IP addresses, IP ranges, subnets in an Azure virtual network, or resource instances of some Azure services.
22
+
## General approach
19
23
20
-
Storage accounts have a public endpoint that's accessible through the internet. You can also create [private endpoints for your storage account](storage-private-endpoints.md). Creating private endpoints assigns a private IP address from your virtual network to the storage account. It helps secure traffic between your virtual network and the storage account over a private link.
24
+
- Enable secure transfer first.
25
+
- Where possible use a private endpoint. Here's why.
26
+
- If traffic is needed over a public endpoint, limit by setting network rules - or set up a network security perimeter.
27
+
- Finally, you can tighten up security by using a copy protection scope.
21
28
22
-
The Azure Storage firewall provides access control for the public endpoint of your storage account. You can also use the firewall to block all access through the public endpoint when you're using private endpoints. Your firewall configuration also enables trusted Azure platform services to access the storage account.
29
+
## Transport Layer security
23
30
24
-
An application that accesses a storage account when network rules are in effect still requires proper authorization for the request. Authorization is supported with Microsoft Entra credentials for blobs, tables, file shares and queues, with a valid account access key, or with a shared access signature (SAS) token. When you configure a blob container for anonymous access, requests to read data in that container don't need to be authorized. The firewall rules remain in effect and will block anonymous traffic.
31
+
Put something here.
25
32
26
-
Turning on firewall rules for your storage account blocks incoming requests for data by default, unless the requests originate from a service that operates within an Azure virtual network or from allowed public IP addresses. Requests that are blocked include those from other Azure services, from the Azure portal, and from logging and metrics services.
33
+
## Private endpoints
27
34
28
-
You can grant access to Azure services that operate from within a virtual network by allowing traffic from the subnet that hosts the service instance. You can also enable a limited number of scenarios through the exceptions mechanism that this article describes. To access data from the storage account through the Azure portal, you need to be on a machine within the trusted boundary (either IP or virtual network) that you set up.
35
+
Storage accounts have a public endpoint that's accessible through the internet. You can also create [private endpoints for your storage account](storage-private-endpoints.md). Creating private endpoints assigns a private IP address from your virtual network to the storage account. It helps secure traffic between your virtual network and the storage account over a private link.
What is a public endpoint? Explain that. Put stuff here for how to secure that public endpoint.
40
+
41
+
The Azure Storage firewall provides access control for the public endpoint of your storage account. You can also use the firewall to block all access through the public endpoint when you're using private endpoints. Your firewall configuration also enables trusted Azure platform services to access the storage account.
42
+
43
+
Turning on firewall rules for your storage account blocks incoming requests for data by default, unless the requests originate from a service that operates within an Azure virtual network or from allowed public IP addresses. Requests that are blocked include those from other Azure services, from the Azure portal, and from logging and metrics services.
33
44
34
45
To secure your storage account, you should first configure a rule to deny access to traffic from all networks (including internet traffic) on the public endpoint, by default. Then, you should configure rules that grant access to traffic from specific virtual networks. You can also configure rules to grant access to traffic from selected public internet IP address ranges, enabling connections from specific internet or on-premises clients. This configuration helps you build a secure network boundary for your applications.
35
46
36
47
You can combine firewall rules that allow access from specific virtual networks and from public IP address ranges on the same storage account. You can apply storage firewall rules to existing storage accounts or when you create new storage accounts.
37
48
38
49
Storage firewall rules apply to the public endpoint of a storage account. You don't need any firewall access rules to allow traffic for private endpoints of a storage account. The process of approving the creation of a private endpoint grants implicit access to traffic from the subnet that hosts the private endpoint.
39
50
51
+
## Copy operation scopes
52
+
53
+
Put something here.
54
+
55
+
### Authorization
56
+
57
+
Clients granted access via network rules must continue to meet the authorization requirements of the storage account to access the data. Authorization is supported with Microsoft Entra credentials for blobs and queues, with a valid account access key, or with a shared access signature (SAS) token.
58
+
59
+
When you configure a blob container for anonymous public access, requests to read data in that container don't need to be authorized, but the firewall rules remain in effect and will block anonymous traffic.
60
+
61
+
An application that accesses a storage account when network rules are in effect still requires proper authorization for the request. Authorization is supported with Microsoft Entra credentials for blobs, tables, file shares and queues, with a valid account access key, or with a shared access signature (SAS) token. When you configure a blob container for anonymous access, requests to read data in that container don't need to be authorized. The firewall rules remain in effect and will block anonymous traffic.
62
+
63
+
64
+
## Stuff from original article
65
+
66
+
## Scenarios
67
+
40
68
> [!IMPORTANT]
41
69
> Azure Storage firewall rules only apply to [data plane](../../azure-resource-manager/management/control-plane-and-data-plane.md#data-plane) operations. [Control plane](../../azure-resource-manager/management/control-plane-and-data-plane.md#control-plane) operations are not subject to the restrictions specified in firewall rules.
42
70
>
@@ -74,12 +102,6 @@ To secure your storage account and build a secure network boundary for your appl
74
102
75
103
After you apply network rules, they're enforced for all requests. SAS tokens that grant access to a specific IP address serve to limit the access of the token holder, but they don't grant new access beyond configured network rules.
76
104
77
-
### Authorization
78
-
79
-
Clients granted access via network rules must continue to meet the authorization requirements of the storage account to access the data. Authorization is supported with Microsoft Entra credentials for blobs and queues, with a valid account access key, or with a shared access signature (SAS) token.
80
-
81
-
When you configure a blob container for anonymous public access, requests to read data in that container don't need to be authorized, but the firewall rules remain in effect and will block anonymous traffic.
Copy file name to clipboardExpand all lines: articles/storage/common/storage-network-security.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,5 @@
1
-
---
2
-
title: Azure Storage firewall and virtual network rules
1
+
---
2
+
title: Azure Storage firewall rules
3
3
description: Learn about settings that you can use to secure traffic to the public endpoints of your Azure Storage account.
4
4
services: storage
5
5
author: normesta
@@ -11,7 +11,7 @@ ms.author: normesta
11
11
12
12
---
13
13
14
-
# Azure Storage firewall and virtual network rules
14
+
# Azure Storage firewall rules
15
15
16
16
You can disable public network access to your storage account and permit traffic only if it originates from sources that you specify. Sources can include [Azure Virtual Network](../../virtual-network/virtual-networks-overview.md) subnets, public IP address ranges, specific Azure resource instances, or traffic from trusted Azure services.
0 commit comments