Saturday, December 30, 2017

Azure Storage Firewalls and Azure SQL Audit

In a previous post, I started to take a look at the use of Azure Storage firewalls.  We noted that the firewalls seemed to work quite well for protecting against IP address access.  Further, it was noted that you can whitelist certain Azure Trusted Services, which was a fairly limited list.

Okay, so lets test this with Azure SQL Auditing.  The test for this is quite simple.

Steps:
  • Enable Azure SQL Auditing to a target storage account
  • Do some logins
  • Use the audit viewer in Azure SQL to review the audit
  • Enable Azure Storage Firewall
  • Do some more logins
  • See if these logins appear in the audit
 It turns out that when the firewall is enabled, Azure SQL audit cannot write to its audit file.  This is super apparent as the blade itself stops responding.  Here is what it looks like:






When you allow the firewall access from all networks, you can then see the log again.  You will also notice that the logins during the time when the firewall was enabled are not showing up (or, in other words, were never written).  You can see this via the missing timestamps.




It seems weird services such as Azure SQL (at least the audit part) would not be part of the trusted services.  IMHO, it makes some of the use cases for storage firewalls not possible.  Storage accounts that host things like audit and ASC are not ones that you want to be public and a firewall would make sense.