You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
description: Learn about how to set up network security for Azure Storage accounts.
4
4
services: storage
5
5
author: normesta
@@ -11,64 +11,55 @@ ms.author: normesta
11
11
12
12
---
13
13
14
-
# Azure Storage network security overview
14
+
# Azure Storage network security
15
15
16
-
Introduction. Mention that folks will still need to authorize to use data.
16
+
Intro sentance here.
17
17
18
-
## Relevant conceptual material
18
+
First, configure account to accept requests only from secure connections (HTTPS). Then, where possible, create private links to your storage account which secure access over a *private endpoint*. If your storage account must accept traffic over the *public endpoint*, then add rules network rules or include your storage account in a network security perimeter.
19
19
20
-
Azure Storage provides a layered security model. This model enables you to control the level of access to your storage accounts that your applications and enterprise environments demand, based on the type and subset of networks or resources that you use.
20
+
After you secure the network boundary, you can increased protection against infiltration of data by restricting the the source of copy operations. To learn more, [Restrict the source of copy operations to a storage account](security-restrict-copy-operations.md).
21
21
22
-
### About virtual network endpoints
22
+
This article describes the configuration options for securing traffic to and from your storage account.
23
23
24
-
There are two types of virtual network endpoints for storage accounts:
24
+
> [!NOTE]
25
+
> Clients that make requests from allowed sources must also meet the authorization requirements of the storage account. To learn more about account authorization, see [Authorize access to data in Azure Storage](../common/authorize-data-access.md).
25
26
26
-
-[Virtual Network service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md)
Virtual network service endpoints are public and accessible via the internet. The Azure Storage firewall provides the ability to control access to your storage account over such public endpoints. When you disable public network access to your storage account, all incoming requests for data are blocked by default. Only applications that request data from allowed sources that you configure in your storage account firewall settings will be able to access your data. Sources can include the source IP address or virtual network subnet of a client, or an Azure service or resource instance through which clients or services access your data. Requests that are blocked include those from other Azure services, from the Azure portal, and from logging and metrics services, unless you explicitly allow access in your firewall configuration.
29
+
By default, storage accounts accept requests over HTTPS only. Any requests made over HTTP is rejected. We recommend that you require secure transfer for all of your storage accounts, except in certain cases where NFS Azure file shares are used with network-level security. To verify that your account accepts requests only from secure connections, make sure that the **Secure transfer required** property of the storage account is set. To learn more, see [Require secure transfer to ensure secure connections](storage-require-secure-transfer.md).
30
30
31
-
A private endpoint uses a private IP address from your virtual network to access a storage account over the Microsoft backbone network. With a private endpoint, traffic between your virtual network and the storage account are secured over a private link. Storage firewall rules only apply to the public endpoints of a storage account, not private endpoints. The process of approving the creation of a private endpoint grants implicit access to traffic from the subnet that hosts the private endpoint. You can use [Network Policies](../../private-link/disable-private-endpoint-network-policy.md) to control traffic over private endpoints if you want to refine access rules. If you want to use private endpoints exclusively, you can use the firewall to block all access through the public endpoint.
32
-
33
-
To help you decide when to use each type of endpoint in your environment, see [Compare Private Endpoints and Service Endpoints](../../virtual-network/vnet-integration-for-azure-services.md#compare-private-endpoints-and-service-endpoints).
34
-
35
-
## General approach
36
-
37
-
To secure your storage account and build a secure network boundary for your applications:
38
-
39
-
- Enable secure transfer first.
40
-
- Disable public network access to the storage account. This disables traffic to the public endpoint of your account.
41
-
- Where possible, configure private links to your storage account from private endpoints on virtual network subnets where the clients reside that require access to your data.
42
-
- If traffic is needed over a public endpoint, limit by setting network rules - or set up a network security perimeter.
43
-
- Finally, you can tighten up security by using a copy protection scope.
31
+
## Private endpoints
44
32
45
-
After you apply network rules, they're enforced for all requests. SAS tokens that grant access to a specific IP address serve to limit the access of the token holder, but they don't grant new access beyond configured network rules.
33
+
A private endpoint assigns a private IP address from your virtual network to your storage account. Clients connect to your storage account by using a private link to the private endpoint. Traffic is routed over the Microsoft backbone network so traffic does not travel over the public internet. You can fine-tune access rules by using [Network policies for private endpoints](../../private-link/disable-private-endpoint-network-policy.md). If you want to permit traffic to originate only from private links, you can block all access over the public endpoint. Private endpoints have cost meters, but provide maximum network isolation.
46
34
47
-
## Transport Layer security
35
+
To learn more about using a private endpoint to secure traffic to your storage account, see [Use private endpoints for Azure Storage](storage-private-endpoints.md).
48
36
49
-
Put something here.
37
+
## Public endpoints
50
38
51
-
## Private endpoints
39
+
The *public endpoint* of your storage account is accessed through a public IP address. If you block all access over the public endpoint, you disable all traffic to the storage accounts public IP address. That said, if there are clients that are unable to access your storage account over a private link or you choose not to use private endpoints for cost or over reasons, then you can secure the public endpoint of your storage account by using firewall rules or by adding your storage account to a network security perimeter.
52
40
53
-
Storage accounts have a public endpoint that's accessible through the internet. You can also create [private endpoints for your storage account](storage-private-endpoints.md). Creating private endpoints assigns a private IP address from your virtual network to the storage account. It helps secure traffic between your virtual network and the storage account over a private link.
41
+
### Firewall rules
54
42
55
-
## Public endpoints
43
+
Firewall rules enable you to limit traffic to your public endpoint. They do not affect traffic to a private endpoint.
56
44
57
-
What is a public endpoint? Explain that. Put stuff here for how to secure that public endpoint.
45
+
You must enable firewall rules before you can set them. Enabling firewall rules blocks all incoming requests by default. Requests are permitted only if they originate from a client or service that operates within an source that you specify. You enable firewall rules by setting the default public network access rule of the storage account. To learn how to do this, see [Set the default public network access rule of a Azure Storage account](storage-network-security-set-default-access.md).
58
46
59
-
The Azure Storage firewall provides access control for the public endpoint of your storage account. You can also use the firewall to block all access through the public endpoint when you're using private endpoints. Your firewall configuration also enables trusted Azure platform services to access the storage account.
47
+
Use firewall rules to allow traffic from any of the following sources:
60
48
61
-
Turning on firewall rules for your storage account blocks incoming requests for data by default, unless the requests originate from a service that operates within an Azure virtual network or from allowed public IP addresses. Requests that are blocked include those from other Azure services, from the Azure portal, and from logging and metrics services.
49
+
- Specific subnets in one or more Azure Virtual networks
50
+
- IP address ranges
51
+
- Resource instances
52
+
- Trusted Azure services
62
53
63
-
To secure your storage account, you should first configure a rule to deny access to traffic from all networks (including internet traffic) on the public endpoint, by default. Then, you should configure rules that grant access to traffic from specific virtual networks. You can also configure rules to grant access to traffic from selected public internet IP address ranges, enabling connections from specific internet or on-premises clients. This configuration helps you build a secure network boundary for your applications.
54
+
To learn more, see [Azure Storage firewall rules](storage-network-security.md).
64
55
65
-
You can combine firewall rules that allow access from specific virtual networks and from public IP address ranges on the same storage account. You can apply storage firewall rules to existing storage accounts or when you create new storage accounts.
56
+
Firewall settings are specific to a storage account. If you want to manage single set of inbound and outbound rules around a group of storage accounts and other resources, consider setting up a network security perimeter.
66
57
67
-
Storage firewall rules apply to the public endpoint of a storage account. You don't need any firewall access rules to allow traffic for private endpoints of a storage account. The process of approving the creation of a private endpoint grants implicit access to traffic from the subnet that hosts the private endpoint.
58
+
### Network security perimeter
68
59
69
-
## Copy operation scopes
60
+
Another way to limit traffic to your public endpoint is to include your storage account in a network security perimeter. A network security perimeter also protects against data exfiltration by enabling you to define outbound rules. A network security perimeter can be particularly useful in cases where you want to establish a security boundary around a collection of resources. This could be multiple storage accounts and other platform as a service (PaaS) resources. Network security perimeter provides a more complete set of inbound, outbound and PaaS to PaaS controls that can be applied to the entire perimeter as opposed to being configured individually on each resource. It can also reduce some of the complexity in auditing traffic.
70
61
71
-
Put something here.
62
+
To learn more, see [Network security perimeter for Azure Storage](storage-network-security-perimeter.md).
72
63
73
64
### Authorization
74
65
@@ -78,7 +69,8 @@ When you configure a blob container for anonymous public access, requests to rea
78
69
79
70
An application that accesses a storage account when network rules are in effect still requires proper authorization for the request. Authorization is supported with Microsoft Entra credentials for blobs, tables, file shares and queues, with a valid account access key, or with a shared access signature (SAS) token. When you configure a blob container for anonymous access, requests to read data in that container don't need to be authorized. The firewall rules remain in effect and will block anonymous traffic.
80
71
81
-
## Next steps
72
+
## See also
82
73
83
-
- Learn more about [Azure network service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md).
84
-
- Dig deeper into [security recommendations for Azure Blob storage](../blobs/security-recommendations.md).
74
+
-[Compare Private Endpoints and Service Endpoints](../../virtual-network/vnet-integration-for-azure-services.md#compare-private-endpoints-and-service-endpoints).
75
+
-[Security recommendations for Azure Blob storage](../blobs/security-recommendations.md).
Copy file name to clipboardExpand all lines: articles/storage/common/storage-network-security.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -60,6 +60,8 @@ To learn how to create IP network rules, see [Create an IP network rule for Azur
60
60
61
61
If you've enabled a service endpoint for a subnet, traffic from that subnet won't use a public IP address to communicate with a storage account. Instead, all traffic uses a private IP address as the source IP. As a result, IP network rules that permit traffic from those subnets no longer have an effect.
62
62
63
+
SAS tokens that grant access to a specific IP address serve to limit the access of the token holder, but they don't grant new access beyond configured network rules.
64
+
63
65
> [!IMPORTANT]
64
66
> Some restrictions apply to IP address ranges. For a list of restrictions, see [Restrictions for IP network rules](storage-network-security-limitations.md#restrictions-for-ip-network-rules).
0 commit comments