Okay, so lets test this with Azure SQL Auditing. The test for this is quite simple.
Steps:
- Enable Azure SQL Auditing to a target storage account
- Do some logins
- Use the audit viewer in Azure SQL to review the audit
- Enable Azure Storage Firewall
- Do some more logins
- See if these logins appear in the audit
When you allow the firewall access from all networks, you can then see the log again. You will also notice that the logins during the time when the firewall was enabled are not showing up (or, in other words, were never written). You can see this via the missing timestamps.
It seems weird services such as Azure SQL (at least the audit part) would not be part of the trusted services. IMHO, it makes some of the use cases for storage firewalls not possible. Storage accounts that host things like audit and ASC are not ones that you want to be public and a firewall would make sense.
No comments:
Post a Comment