Azure storage makes use of Azure storage firewalls to allow customers to limit access to a storage account either by subnet/vnet or by any publically addressable IP address (or range). The goal of this post is to explore this feature in a little more detail.
When you first create an Azure storage account, the default operation is allow access from all vnets/subnets. In fact, firewall setup is not currently part of the storage account creation process in the portal. Here is what the firewall tab looks like out of the gate:
Okay, cool. I can open up storage explorer and add a file no problem. Lets try setting the "default rule" to deny. What this will do, essentially, is limit access to my storage account from anywhere.
Here is the powershell command I ran:
Update-AzureRmStorageAccountNetworkRuleset -ResourceGroupName-Name -DefaultAction Deny
Here is the result in the portal.
Lets try uploading something in Storage Explorer. Please note that I did not "log out and log back in" in storage explorer. Oops! I got an error.
{
"name": "StorageError",
"message": "Forbidden",
"stack": "Error\n at Function.StorageServiceClient._normalizeError (C:\\Program Files (x86)\\Microsoft Azure Storage Explorer\\resources\\app\\node_modules\\azure-storage\\lib\\common\\services\\storageserviceclient.js:1189:23)\n at Object.StorageServiceClient._processResponse (C:\\Program Files (x86)\\Microsoft Azure Storage Explorer\\resources\\app\\node_modules\\azure-storage\\lib\\common\\services\\storageserviceclient.js:736:50)\n at Request.processResponseCallback [as _callback] (C:\\Program Files (x86)\\Microsoft Azure Storage Explorer\\resources\\app\\node_modules\\azure-storage\\lib\\common\\services\\storageserviceclient.js:311:37)\n at Request.self.callback (C:\\Program Files (x86)\\Microsoft Azure Storage Explorer\\resources\\app\\node_modules\\azure-storage\\node_modules\\request\\request.js:188:22)\n at emitTwo (events.js:106:13)\n at Request.emit (events.js:194:7)\n at Request.<anonymous> (C:\\Program Files (x86)\\Microsoft Azure Storage Explorer\\resources\\app\\node_modules\\azure-storage\\node_modules\\request\\request.js:1171:10)\n at emitOne (events.js:96:13)\n at Request.emit (events.js:191:7)\n at IncomingMessage.<anonymous> (C:\\Program Files (x86)\\Microsoft Azure Storage Explorer\\resources\\app\\node_modules\\azure-storage\\node_modules\\request\\request.js:1091:12)",
"code": "Forbidden",
"statusCode": 403,
"requestId": "xxxxxxxx"
}
Awesome, a pretty standard forbidden error message. Okay, lets try adding my ip address so I can communicate. You can do this by running the following command:
Add-AzureRmStorageAccountNetworkRule -ResourceGroupName-Name -IPAddressOrRange " "
Now when I try and upload, everything works. I was simply able to hit retry and it worked. I now have a "secured" storage account!
One interesting thing to note is that even when the default action is set to deny, the checkbox for "Allow trusted Microsoft services to access this storage account" is enabled. Based on the documentation there is only about 5 services that are granted access. In a future post, I hope to see how this checkbox handles diagnostic/audit storage for things like ASC, Azure SQL, etc.
In this post, we covered some basics of using Azure Storage firewalls to secure your storage accounts.
No comments:
Post a Comment