Sunday, December 17, 2017

Fooling around with Azure Storage Firewalls

At the end of September, the Azure storage team announced support for virtual network connected storage.  In the days before managed disk, this was actually quite a big deal.  A lot of my customers got tripped up on the fact that VHDs are stored in Azure storage, and that the container itself could be accessed from anywhere provided someone had the correct name and key.

Azure storage makes use of Azure storage firewalls to allow customers to limit access to a storage account either by subnet/vnet or by any publically addressable IP address (or range).  The goal of this post is to explore this feature in a little more detail.

When you first create an Azure storage account, the default operation is allow access from all vnets/subnets.  In fact, firewall setup is not currently part of the storage account creation process in the portal.  Here is what the firewall tab looks like out of the gate:




Okay, cool.  I can open up storage explorer and add a file no problem.  Lets try setting the "default rule" to deny.  What this will do, essentially, is limit access to my storage account from anywhere.

Here is the powershell command I ran:

Update-AzureRmStorageAccountNetworkRuleset -ResourceGroupName  -Name  -DefaultAction Deny

Here is the result in the portal.


Lets try uploading something in Storage Explorer.  Please note that I did not "log out and log back in" in storage explorer.  Oops! I got an error.

{
  "name": "StorageError",
  "message": "Forbidden",
  "stack": "Error\n    at Function.StorageServiceClient._normalizeError (C:\\Program Files (x86)\\Microsoft Azure Storage Explorer\\resources\\app\\node_modules\\azure-storage\\lib\\common\\services\\storageserviceclient.js:1189:23)\n    at Object.StorageServiceClient._processResponse (C:\\Program Files (x86)\\Microsoft Azure Storage Explorer\\resources\\app\\node_modules\\azure-storage\\lib\\common\\services\\storageserviceclient.js:736:50)\n    at Request.processResponseCallback [as _callback] (C:\\Program Files (x86)\\Microsoft Azure Storage Explorer\\resources\\app\\node_modules\\azure-storage\\lib\\common\\services\\storageserviceclient.js:311:37)\n    at Request.self.callback (C:\\Program Files (x86)\\Microsoft Azure Storage Explorer\\resources\\app\\node_modules\\azure-storage\\node_modules\\request\\request.js:188:22)\n    at emitTwo (events.js:106:13)\n    at Request.emit (events.js:194:7)\n    at Request.<anonymous> (C:\\Program Files (x86)\\Microsoft Azure Storage Explorer\\resources\\app\\node_modules\\azure-storage\\node_modules\\request\\request.js:1171:10)\n    at emitOne (events.js:96:13)\n    at Request.emit (events.js:191:7)\n    at IncomingMessage.<anonymous> (C:\\Program Files (x86)\\Microsoft Azure Storage Explorer\\resources\\app\\node_modules\\azure-storage\\node_modules\\request\\request.js:1091:12)",
  "code": "Forbidden",
  "statusCode": 403,
  "requestId": "xxxxxxxx"
}

Awesome, a pretty standard forbidden error message.  Okay, lets try adding my ip address so I can communicate. You can do this by running the following command:


Add-AzureRmStorageAccountNetworkRule -ResourceGroupName  -Name  -IPAddressOrRange ""

Now when I try and upload, everything works.  I was simply able to hit retry and it worked.  I now have a "secured" storage account!

One interesting thing to note is that even when the default action is set to deny, the checkbox for "Allow trusted Microsoft services to access this storage account" is enabled.  Based on the documentation there is only about 5 services that are granted access.  In a future post, I hope to see how this checkbox handles diagnostic/audit storage for things like ASC, Azure SQL, etc.

  
In this post, we covered some basics of using Azure Storage firewalls to secure your storage accounts.