|
| 1 | +--- |
| 2 | +title: Store Vulnerability Assessment scan results in a storage account accessible behind firewalls and VNets |
| 3 | +description: "Provides instructions on how to store Vulnerability Assessment (VA) scans in a storage account that can be accessed through a firewall or a VNet" |
| 4 | +services: sql-database |
| 5 | +ms.service: sql-database |
| 6 | +ms.subservice: security |
| 7 | +ms.topic: conceptual |
| 8 | +author: barmichal |
| 9 | +ms.author: mibar |
| 10 | +ms.reviewer: vanto |
| 11 | +ms.date: 04/17/2020 |
| 12 | +--- |
| 13 | + |
| 14 | +# Store Vulnerability Assessment scan results in a storage account accessible behind firewalls and VNets |
| 15 | + |
| 16 | +If you are limiting access to your storage account in Azure for certain VNets or services, you'll need to enable the appropriate configuration so that Vulnerability Assessment (VA) scanning for SQL Databases or Managed Instances have access to that storage account. |
| 17 | + |
| 18 | +## Enable Azure SQL Database VA scanning access to the storage account |
| 19 | + |
| 20 | +If you have configured your VA storage account to only be accessible by certain networks or services, you'll need to ensure that VA scans for your Azure SQL Database are able to store the scans on the storage account. To find out which storage account is being used, go to your **SQL server** pane in the [Azure portal](https://portal.azure.com), under **Security**, select **Advanced data security**. |
| 21 | + |
| 22 | +:::image type="content" source="media/sql-database-vulnerability-assessment-storage/va-storage.png" alt-text="va-storage"::: |
| 23 | + |
| 24 | +You can use the existing storage account, or create a new storage account to store VA scan results for all databases on your Azure SQL Server. |
| 25 | + |
| 26 | +Go to your **Resource group** that contains the storage account and access the **Storage account** pane. Under **Settings**, select **Firewall and virtual networks**. |
| 27 | + |
| 28 | +Ensure that **Allow trusted Microsoft services access to this storage account** is checked. |
| 29 | + |
| 30 | +:::image type="content" source="media/sql-database-vulnerability-assessment-storage/storage-allow-microsoft-services.png" alt-text="storage-allow-microsoft-services"::: |
| 31 | + |
| 32 | +## Store VA scan results for Azure SQL Managed Instance in a storage account that can be accessed behind a firewall or VNet |
| 33 | + |
| 34 | +Since Managed Instance is not a trusted Microsoft Service and has a different VNet from the storage account, executing a VA scan will result in an error. |
| 35 | + |
| 36 | +To support VA scans on Managed Instances, follow the below steps: |
| 37 | + |
| 38 | +1. In the **SQL managed instance** pane, under the **Overview** heading, click the **Virtual network/subnet** link. This takes you to the **Virtual network** pane. |
| 39 | + |
| 40 | + :::image type="content" source="media/sql-database-managed-instance-public-endpoint-configure/mi-overview.png" alt-text="mi-overview2"::: |
| 41 | + |
| 42 | +1. Under **Settings**, select **Subnets**. Click **Subnet** in the new pane to add a subnet, and delegate it to *Microsoft.sql\managedInstance*. For more information, see [Manage subnets](../virtual-network/virtual-network-manage-subnet.md). |
| 43 | + |
| 44 | + :::image type="content" source="media/sql-database-vulnerability-assessment-storage/mi-subnets.png" alt-text="mi-subnets"::: |
| 45 | + |
| 46 | +1. In your **Virtual network** pane, under **Settings**, select **Service endpoints**. Click **Add** in the new pane, and add the *Microsoft.Storage* Service as a new service endpoint. Make sure the *ManagedInstance* Subnet is selected. Click **Add**. |
| 47 | + |
| 48 | + :::image type="content" source="media/sql-database-vulnerability-assessment-storage/mi-service-endpoint.png" alt-text="mi-service-endpoint"::: |
| 49 | + |
| 50 | +1. Go to your **Storage account** that you've selected to store your VA scans. Under **Settings**, select **Firewall and virtual networks**. Click on **Add existing virtual network**. Select your managed instance virtual network and subnet, and click **Add**. |
| 51 | + |
| 52 | + :::image type="content" source="media/sql-database-vulnerability-assessment-storage/storage-firewall.png" alt-text="storage-firewall"::: |
| 53 | + |
| 54 | +You should now be able to store your VA scans for Managed Instances in your storage account. |
| 55 | + |
| 56 | +## Next steps |
| 57 | + |
| 58 | +- [Vulnerability Assessment](sql-vulnerability-assessment.md) |
| 59 | +- [Create an Azure Storage account](../storage/common/storage-account-create.md) |
| 60 | +- [Advanced data security for Azure SQL Database](sql-database-advanced-data-security.md) |
0 commit comments