You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/common/storage-network-security.md
+30-20Lines changed: 30 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -354,35 +354,45 @@ You can manage IP network rules for storage accounts through the Azure portal, P
354
354
355
355
## Exceptions
356
356
357
-
Network rules can enable a secure network configuration for most scenarios. However, there are some cases where exceptions must be granted to enable full functionality. You can configure storage accounts with exceptions for trusted Microsoft services, and for access to storage analytics data.
357
+
Network rules help to create a secure environment for access between your applications and your data for most scenarios. However, some applications use services that cannot be uniquely isolated through virtual network or IP address rules. But such services must be granted to the storage account to enable full application functionality. You can use the ***Allow trusted Microsoft services...*** exception to enable some access scenarios for your data, logs, or analytics.
358
358
359
359
### Trusted Microsoft services
360
360
361
-
Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules.
361
+
Some Microsoft services operate from networks can't be granted access through existing network rules. You can allow a subset of such trusted Microsoft services to access the storage account, while maintaining network rules for other apps. These services can then use strong authentication to connect to a storage account. We enable two types of trusted access for Microsoft services.
362
362
363
-
In order for some services to work as intended, you must allow a subset of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account.
363
+
- Resources of some services can be granted access for select operations, such as writing logs or for backup.
364
+
- A particular instance of some services can be granted access by [assigning a RBAC role](storage-auth-aad.md#assign-rbac-roles-for-access-rights) to the resource instance.
364
365
365
-
If you enable the **Allow trusted Microsoft services...** exception, the following services (when registered in your subscription), are granted access to the storage account:
| Azure Backup | Microsoft.RecoveryServices | Run backups and restores of unmanaged disks in IAAS virtual machines. (not required for managed disks). [Learn more](/azure/backup/backup-introduction-to-azure-backup). |
370
-
| Azure Data Box | Microsoft.DataBox | Enables import of data to Azure using Data Box. [Learn more](/azure/databox/data-box-overview). |
| Azure Event Grid | Microsoft.EventGrid | Enable Blob Storage event publishing and allow Event Grid to publish to storage queues. Learn about [blob storage events](/azure/event-grid/event-sources) and [publishing to queues](/azure/event-grid/event-handlers). |
373
-
| Azure Event Hubs | Microsoft.EventHub | Archive data with Event Hubs Capture. [Learn More](/azure/event-hubs/event-hubs-capture-overview). |
374
-
| Azure File Sync | Microsoft.StorageSync | Enables you to transform your on-prem file server to a cache for Azure File shares. Allowing for multi-site sync, fast disaster-recovery, and cloud-side backup. [Learn more](../files/storage-sync-files-planning.md) |
375
-
| Azure HDInsight | Microsoft.HDInsight | Provision the initial contents of the default file system for a new HDInsight cluster. [Learn more](https://azure.microsoft.com/blog/enhance-hdinsight-security-with-service-endpoints/). |
376
-
| Azure Machine Learning Service | Microsoft.MachineLearningServices | Authorized Azure Machine Learning workspaces write experiment output, models, and logs to Blob storage. [Learn more](/azure/machine-learning/service/how-to-enable-virtual-network#use-a-storage-account-for-your-workspace).
377
-
| Azure Monitor | Microsoft.Insights | Allows writing of monitoring data to a secured storage account [Learn more](/azure/monitoring-and-diagnostics/monitoring-roles-permissions-security). |
378
-
| Azure Networking | Microsoft.Network | Store and analyze network traffic logs. [Learn more](/azure/network-watcher/network-watcher-packet-capture-overview). |
379
-
| Azure Site Recovery | Microsoft.SiteRecovery | Configure disaster recovery by enabling replication for Azure IaaS virtual machines. This is required if you are using firewall enabled cache storage account or source storage account or target storage account. [Learn more](https://docs.microsoft.com/azure/site-recovery/azure-to-azure-tutorial-enable-replication). |
380
-
| Azure SQL Data Warehouse | Microsoft.Sql | Allows import and export scenarios from specific SQL Databases instances using PolyBase. [Learn more](/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview). |
381
-
| Azure Stream Analytics | Microsoft.StreamAnalytics | Allows data from a streaming job to be written to Blob storage. Note that this feature is currently in preview. [Learn more](../../stream-analytics/blob-output-managed-identity.md). |
367
+
When you enable the **Allow trusted Microsoft services...** exception, the following services (when registered in your subscription) are granted access to the storage account for select operations as described:
| Azure Backup | Microsoft.RecoveryServices | Run backups and restores of unmanaged disks in IAAS virtual machines. (not required for managed disks). [Learn more](/azure/backup/backup-introduction-to-azure-backup). |
372
+
| Azure Data Box | Microsoft.DataBox | Enables import of data to Azure using Data Box. [Learn more](/azure/databox/data-box-overview). |
| Azure Event Grid | Microsoft.EventGrid | Enable Blob Storage event publishing and allow Event Grid to publish to storage queues. Learn about [blob storage events](/azure/event-grid/event-sources) and [publishing to queues](/azure/event-grid/event-handlers). |
375
+
| Azure Event Hubs | Microsoft.EventHub | Archive data with Event Hubs Capture. [Learn More](/azure/event-hubs/event-hubs-capture-overview). |
376
+
| Azure File Sync | Microsoft.StorageSync | Enables you to transform your on-prem file server to a cache for Azure File shares. Allowing for multi-site sync, fast disaster-recovery, and cloud-side backup. [Learn more](../files/storage-sync-files-planning.md) |
377
+
| Azure HDInsight | Microsoft.HDInsight | Provision the initial contents of the default file system for a new HDInsight cluster. [Learn more](https://azure.microsoft.com/blog/enhance-hdinsight-security-with-service-endpoints/). |
378
+
| Azure Machine Learning Service | Microsoft.MachineLearningServices | Authorized Azure Machine Learning workspaces write experiment output, models, and logs to Blob storage. [Learn more](/azure/machine-learning/service/how-to-enable-virtual-network#use-a-storage-account-for-your-workspace). |
379
+
| Azure Monitor | Microsoft.Insights | Allows writing of monitoring data to a secured storage account [Learn more](/azure/monitoring-and-diagnostics/monitoring-roles-permissions-security). |
380
+
| Azure Networking | Microsoft.Network | Store and analyze network traffic logs. [Learn more](/azure/network-watcher/network-watcher-packet-capture-overview). |
381
+
| Azure Site Recovery | Microsoft.SiteRecovery | Enable replication for disaster-recovery of Azure IaaS virtual machines when using firewall-enabled cache, source, or target storage accounts. [Learn more](https://docs.microsoft.com/azure/site-recovery/azure-to-azure-tutorial-enable-replication). |
382
+
383
+
The **Allow trusted Microsoft services...** exception enables specific instances of these services to access the storage account, if the [system-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) for the instance is assigned an RBAC role.
| Azure SQL Data Warehouse | Microsoft.Sql | Allows import and export of data from specific SQL Database instances using PolyBase. [Learn more](/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview). |
390
+
| Azure Stream Analytics | Microsoft.StreamAnalytics | Allows data from a streaming job to be written to Blob storage. This feature is currently in preview. [Learn more](../../stream-analytics/blob-output-managed-identity.md). |
391
+
382
392
383
393
### Storage analytics data access
384
394
385
-
In some cases, access to read diagnostic logs and metrics is required from outside the network boundary. You can grant exceptions to the network rules to allow read-access to storage account log files, metrics tables, or both. [Learn more about working with storage analytics.](/azure/storage/storage-analytics)
395
+
In some cases, access for reading diagnostic logs and metrics is required from outside the network boundary. When configuring trusted services access to the storage account, you can allow read-access for the log files, metrics tables, or both. [Learn more about working with storage analytics.](/azure/storage/storage-analytics)
0 commit comments