You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/common/storage-network-security-perimeter.md
+9-11Lines changed: 9 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,9 +13,9 @@ ms.author: normesta
13
13
14
14
# Network security perimeter for Azure Storage
15
15
16
-
[Network security perimeter](../../private-link/network-security-perimeter-concepts.md) allows organizations to define a logical network isolation boundary for PaaS resources (for example, Azure Blob Storage and SQL Database) that are deployed outside their virtual networks. The feature restricts public network access to PaaS resources outside the perimeter. However, you can exempt access by using explicit access rules for public inbound and outbound traffic. This helps prevent unwanted data exfiltration from your storage resources. Within a Network Security Perimeter, member resources can freely communicate with each other. network security perimeter rules override the storage account’s own firewall settings. Access from within the perimeter takes highest precedence over other network restrictions.
16
+
[Network security perimeter](../../private-link/network-security-perimeter-concepts.md) allows organizations to define a logical network isolation boundary for PaaS resources (for example, Azure Blob Storage and SQL Database) that are deployed outside their virtual networks. The feature restricts public network access to PaaS resources outside the perimeter. However, you can exempt access by using explicit access rules for public inbound and outbound traffic. This helps prevent unwanted data exfiltration from your storage resources. Within a Network Security Perimeter, member resources can freely communicate with each other. Network security perimeter rules override the storage account’s own firewall settings. Access from within the perimeter takes highest precedence over other network restrictions.
17
17
18
-
You can find the list of services that have been onboarded to the network security perimeter [here](../../private-link/network-security-perimeter-concepts.md#onboarded-private-link-resources). If a service is not listed, it has not yet been onboarded. To allow access to a specific resource from a non-onboarded service, you can create a subscription-based rule for the network security perimeter. This will grant access to all resources within that subscription. For details on how to add a subscription-based access rule, see [this documentation](/rest/api/networkmanager/nsp-access-rules/create-or-update).
18
+
You can find the list of services that are onboarded to the network security perimeter [here](../../private-link/network-security-perimeter-concepts.md#onboarded-private-link-resources). If a service isn't listed, it is not onboarded yet. To allow access to a specific resource from a non-onboarded service, you can create a subscription-based rule for the network security perimeter. A subscription-based rule grants access to all resources within that subscription. For details on how to add a subscription-based access rule, see [this documentation](/rest/api/networkmanager/nsp-access-rules/create-or-update).
19
19
20
20
## Access Modes
21
21
@@ -26,28 +26,26 @@ When onboarding storage accounts to a network security perimeter, you can start
26
26
>
27
27
28
28
## Network priotiy
29
-
When a storage account is part of a network security perimeter, the relevant [profile's](../../private-link/network-security-perimeter-concepts.md#components-of-a-network-security-perimeter) access rules override the account’s own firewall settings, becoming the top-level network gatekeeper. Access allowed or denied by the perimeter takes precedence, and the account’s "Allowed networks" settings are bypassed when the storage account is associated in enforced mode. Removing the storage account from a network security perimeter reverts control back to its regular firewall. Network security perimeters do not affect private endpoint traffic. Connections via private link always succeed. For internal Azure services ("trusted services"), only those explicitly [onboarded to Network Security Perimeter](../../private-link/network-security-perimeter-concepts.md#onboarded-private-link-resources) can be allowed through perimeter access rules. Otherwise, their traffic is blocked by default, even if trusted on the storage account firewall rules. For services not yet onboarded, alternatives include subscription-level rules for inbound and FQDNs for outbount access or via private links.
29
+
When a storage account is part of a network security perimeter, the relevant [profile's](../../private-link/network-security-perimeter-concepts.md#components-of-a-network-security-perimeter) access rules override the account’s own firewall settings, becoming the top-level network gatekeeper. Access allowed or denied by the perimeter takes precedence, and the account’s "Allowed networks" settings are bypassed when the storage account is associated in enforced mode. Removing the storage account from a network security perimeter reverts control back to its regular firewall. Network security perimeters don't affect private endpoint traffic. Connections via private link always succeed. For internal Azure services ("trusted services"), only services explicitly [onboarded to Network Security Perimeter](../../private-link/network-security-perimeter-concepts.md#onboarded-private-link-resources) can be allowed through perimeter access rules. Otherwise, their traffic is blocked by default, even if trusted on the storage account firewall rules. For services not yet onboarded, alternatives include subscription-level rules for inbound and Fully Qualified Domain Names (FQDN) for outbound access or via private links.
30
30
31
31
> [!IMPORTANT]
32
-
> Private endpoint traffic is considered highly secure and therefore isn't subject to network security perimeter rules. All other traffic, including trusted services, are subject to network security perimeter rules if the storage account is associated with a perimeter.
32
+
> Private endpoint traffic is considered highly secure and therefore isn't subject to network security perimeter rules. All other traffic, including trusted services, is subject to network security perimeter rules if the storage account is associated with a perimeter.
33
33
34
34
## Feature coverage under network security perimeter
35
-
When a storage account is associated with a network security perimeter, all standard data-plane operations for blobs, files, tables, and queues are supported as long as they don’t fall under the known [limitations](#limitations). All HTTPS-based operations for Azure Blob Storage, Azure Data Lake Storage Gen2, Azure Files (via REST API or SDK), Azure Table Storage, and Azure Queue Storage are supported with network security perimeter enforcement, allowing you to restrict access by network.
35
+
When a storage account is associated with a network security perimeter, all standard data-plane operations for blobs, files, tables, and queues are supported unless specified under the known [limitations](#limitations). All HTTPS-based operations for Azure Blob Storage, Azure Data Lake Storage Gen2, Azure Files, Azure Table Storage, and Azure Queue Storage can be restricted using network security perimeter.
36
36
37
37
## Limitations
38
38
39
-
Below is a list of platform features that aren't supported when a storage account is associated with a network security perimeter.
40
-
41
39
| Feature | Support status| Recommendations |
42
40
|----------|----------|----------|
43
-
|[Object replication](../blobs/object-replication-overview.md) for Azure Blob Storage | Not Supported. Object Replication between storage accounts will fail if either the source or destination account is associated with a network security perimeter |Do not use network security perimeter on storage accounts that need Object Replication. Similarly, do not enable Object Replication on accounts associated with network security perimeter until support is available. When you try enabling either Object replication or association with network security perimeter when the other is already active, your attempt will be blocked to protect you from this unsupported scenario. |
44
-
| Network file system (NFS) access over [Azure Blobs](../blobs/network-file-system-protocol-support.md) and [Azure Files](../files/files-nfs-protocol.md), Server message block (SMB) access over Azure Files and [SSH File transfer protocol (SFTP)](../blobs/secure-file-transfer-protocol-support.md) over Azure Blobs | All protocols other than HTTPS based access are blocked when storage account is associated with a network security perimeter | If you need to use any of these protocols to access your storage account, do not associate the account with a network security perimeter |
41
+
|[Object replication](../blobs/object-replication-overview.md) for Azure Blob Storage | Not Supported. Object Replication between storage accounts fail if either the source or destination account is associated with a network security perimeter |Don't configure network security perimeter on storage accounts that need Object Replication. Similarly, don't enable Object Replication on accounts associated with network security perimeter until support is available. If Object replication is already enabled, you cannot associate a network security perimeter. Similarly, if a network security perimeter is already associated, you cannot enable Object replication. This restriction prevents you from configuring an unsupported scenario. |
42
+
| Network file system (NFS) access over [Azure Blobs](../blobs/network-file-system-protocol-support.md) and [Azure Files](../files/files-nfs-protocol.md), Server message block (SMB) access over Azure Files and [SSH File transfer protocol (SFTP)](../blobs/secure-file-transfer-protocol-support.md) over Azure Blobs | All protocols other than HTTPS based access are blocked when storage account is associated with a network security perimeter | If you need to use any of these protocols to access your storage account, don't associate the account with a network security perimeter |
45
43
| Azure Backup | Not supported. Azure Backup as a service is not onboarded to network security perimeter yet. | We recommend not associating an account with network security perimeter if you have backups enabled or if you plan to use Azure Backup. Once Azure Backup onboards to network security perimeter, you can start using both these features together |
46
-
| Unmanaged disks |[Unmanaged disks](/azure/virtual-machines/unmanaged-disks-deprecation)do not honor network security perimeter rules. | Avoid using unmanaged disks on storage accounts protected by network security perimeter |
44
+
| Unmanaged disks |[Unmanaged disks](/azure/virtual-machines/unmanaged-disks-deprecation)don't honor network security perimeter rules. | Avoid using unmanaged disks on storage accounts protected by network security perimeter |
47
45
48
46
49
47
> [!WARNING]
50
-
> For storage accounts that are associated with a network security perimeter, in order for customer managed keys (CMK) scenarios to work, ensure that the Azure Key Vault is accessible from within the perimeter to which the storage account has been associated.
48
+
> For storage accounts that are associated with a network security perimeter, in order for customer managed keys (CMK) scenarios to work, ensure that the Azure Key Vault is accessible from within the perimeter to which the storage account is associated.
51
49
52
50
## Associate a network security perimeter with a storage account
0 commit comments