Is there a way to prefer Azure Service Endpoint over Private Endpoint? - azure

Scenario:
I have a hub & spoke architecture with Azure Firewall, which acts as my DNS server to VNets in all spokes. I also have a VPN connection, which I use to transfer data to my Azure Data Lake Storage Gen2. For that I use Private Endpoint, which is configured with Private DNS Zone associated with a Hub network.
So for - all great, all my traffic is secure, wherever I connect to my ADLS Gen2 from premises or from Databricks in Azure.
Now here's the problem. It costs a lot of money since Azure Private Endpoints charges you for inbound and outbound traffic.
So the question is, is there away to tell my Databricks nodes to use Service Endpoint (which is free) rather than Private Endpoint since Azure Firewall DNS always returns a private IP for my ADLS? I still need to keep Private Endpoint to be able to securely connect from my premises.

• Though you cannot create a service endpoint directly for the Azure Databricks workspace to transfer data from the Azure Data Lake Storage Gen 2 to it, but you can surely connect your Azure Databricks workspace to your on-premises network through the transit virtual network gateway created in the virtual network where your Azure Databricks workspace is peered. For that purpose, you will have to set up Azure virtual network gateway in the virtual network in which ADLS Gen2 has been deployed.
• Once the above said has been done, peer the virtual networks in which the private endpoint is configured and the one where ADLS Gen2 storage account is configured such that the Azure Databricks workspace is able to create a virtual network peering with the virtual network where Service endpoint for the Microsoft storage account is configured.
• Then configure the user defined routes and associate them with your Azure Databricks virtual network subnets and validate the setup. Kindly refer to the network diagram below for more clarification: -
For more information, kindly refer to the documentation link below: -
https://learn.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/on-prem-network

Related

.Net application, running in a Docker container unable to connect to Azure Storage when running on the virtual node

We have a .Net application, running in a docker container, connecting to Azure Storage, running on Azure AKS. We use the connectionString to connect to the Azure Storage, for both temporary file storage, as well as logging purposes. Our AKS sits within a vNet, with it's own subnet, and it happily connects to the storage, which also sits in its own subnet, with the two subnets linked via a service endpoint. The storage is not open to all networks, it's been set to only be enabled from selected virtual networks and IP addresses.
Now, if we try and move / run the container on the AKS virtual node, it's starts up amd runs without any issues, but if we try and hit the storage from within the container, we now have authorization issues:
Status: 403 (This request is not authorized to perform this
operation.) ErrorCode: AuthorizationFailure
Content: AuthorizationFailureThis
request is not authorized to perform this operation.
RequestId:131fd452-901e-001a-4329-f3010f000000
Time:2022-11-08T04:23:09.0663031Z
If I enable the storage to have public network access, it works, but we don't want this. So what our options to fix this seeing as we can't add a service endpoint to the underlying subnet / vNet on which the virtual node is running. We're also concerned, because this will probably affect any db connections as well, which will be an issue if we want to run our db backed containers on the virtual node.
Status: 403 (This request is not authorized to perform this operation.) ErrorCode: AuthorizationFailure
Content: AuthorizationFailureThis request is not authorized to perform this operation.
The above 403 errors occur you may not give proper permission and also you may not assign roles in storage account.
For principal authentication purpose you need to assign roles in your storage account.
Storage blob data owner
Storage blob data contributor.
Portal:
In portal go to your storage account -> Access Control (IAM) -> Add ->Add role assignments-> Storage blob data owner or Storage blob data contributor with your service principal.
After assigning it you can view the access through portal by referring below snap:
Make sure with Networking and Firewalls and virtual networks in the public access is set to Enabled from selected virtual networks and IP addresses.
Make sure you were adding correct virtual network and subnets in the portal and also virtual node client IP address in your environment issue may client IP was not added to the firewall rules for the storage account and also check the Allow Azure services on the trusted services list to access this storage account. in Checked state, Then, these trusted providers will establish a secure connection to your storage account using strong authentication.
Go to Azure Portal -> Storage Accounts -> Networking-> Enabled from selected virtual networks and IP addresses.
Reference:
Creating Azure Storage Containers in a storage account with network rules, with Terraform by Ansuman Bal

Azure connecting to a Storage Blob as Private IP instead of Public IP

I am connecting to a client FTP Storage blob via FTP in Azure from a managed Azure VM. I want to force the VM's public IP to be used but it is forcing the Private IP connect, this can be seen from the client logs. What do i need to configure to force the use of the public IP?
Basically the vm from where you are trying to connect to and your
storage account need to be part of same Virtual Network and Subnet.
Check if the firewall is blocking and disable the firewall on the blob
storage .
Also check in your case if both vm and azure storage are in same region:
Services deployed in the same region as the storage account use private Azure IP addresses for communication.i.e; your VM uses the
internal network (over ipv6 and not the VMs published IP addresses
)to attempt to access the Storage so adding the public IP won't work
as IP network rules have no effect on requests originating from the
same Azure region as the storage account
Thus, you cannot restrict access to specific Azure services based on
their public outbound IP address range.Reference: Configure Azure
Storage firewalls and virtual networks | Microsoft Docs.
To allow same-region requests try to use Virtual network rules .
One way to try is by adding the Virtual Network subnet of the VM to
the firewall rules and adding Azure.Storage as service endpoint to
the subnet. If added through Azure Portal the service
endpoint will be automatically added .
Please check the references:
Allowing azure storage connectivity to a public IP - Microsoft Q&A
networking - Cannot to Azure blob storage from VM because of firewall - Stack Overflow

Configure and verify Vnet in Azure

I have created a Virtual Network next to its subnet and integrated it into three service applications and created the rule on the firewall of my SQL Azure server.
Everything is in the same Azure subscription and region
I need to know if it is enough to direct all the traffic between these instances through the virtual network or do I need to configure some other aspect.
And how can I query the data traffic to verify that the virtual network is being used?
Azure Virtual Network (VNets) allows to place Azure resources in a non-internet-routable network.
https://learn.microsoft.com/en-us/azure/architecture/example-scenario/private-web-app/private-web-app#architecture
Using Azure App Service regional VNet Integration, the web app connects to Azure through an AppSvcSubnet delegated subnet in an Azure Virtual Network.
Virtual Network only routes traffic and is otherwise empty, but other subnets and workloads could also run in the Virtual Network.
The App Service and Private Link subnets could be in separate peered Virtual Networks, for example as part of a hub-and-spoke network configuration. For regional VNet Integration, the peered Virtual Networks must be located in the same Azure region.
Azure Private Link sets up a private endpoint for the Azure SQL database in the PrivateLinkSubnet of the Virtual Network.
The web app connects to the SQL Database private endpoint through the PrivateLinkSubnet of the Virtual Network.
The database firewall allows only traffic coming from the PrivateLinkSubnet to connect, making the database inaccessible from the public internet.

Azure Storage - Firewall and Endpoints usage

I have recently come across the Private Endpoint feature in Azure Storage and trying to implement it for secure access from a VNet. However, I am getting access issues while using Firewall, Virtual Network Service Endpoint and Private Endpoint all together.
I have two VNets (VNet1 & VNet2) in my subscription and an on-premises machine with Public IP to connect to Azure Storage. Following is my setup.
VNet1 with a Subnet enabled with Service Endpoint feature is whitelisted in Storage account firewall.
Next, I have created a Private Endpoint to this storage account (for blob service) from VNet2 which is also hosted inside the same Vnet.
Finally, I have whitelisted the Public IP of my on-premises VM to connect to the storage account under Firewall section.
Given the above setup, when I am trying to access this storage account blob containers inside a VM placed under VNet2, I am getting authorization issues.
May I please check if this setup is valid? Do Private Endpoint and Service Endpoint features work in Parallel?
Yes, private endpoints can be created in subnets that use Service Endpoints. Clients in a subnet can thus connect to one storage account using private endpoint, while using service endpoints to access others.
There are multiple ways to connect to storage account:
Using a private endpoint (private link) to connect to storage account: Please find the referred document here.
Using Service Endpoint and Private endpoint: Please find the referred document here.
You can find more details in this public document.

Access Azure Storage from Azure VM without outbound internet

I have VNET with DMZ and multiple internal subnets configured. There is security requirement to block all the outbound internet connection for the internal subnets.
Now, this VM needs to access Azure blob storage which hosted in the same region.
I am wondering to access Azure Blob storage without outbound internet connection.
Pondering on questions like
1) Can I attach Azure Storage account in my azure VNET
2) Can there is existing solution, where I am access internet via JUMP-BOX network configuration, where my VM internet traffic goes via Jump box
3) Can this be achieve via Network ACLs or some better solution?
Now, this question is mix of networking and azure services, not sure of the right forum for this, server-fault or stack-overflow?
Azure Storage uses a public endpoint, as it's a multi-tenant service. You cannot add your Azure storage account to your VNet, since this is not an endpoint you control.
You'll need to access storage directly, via its <storagename>.blob.core.windows.net endpoint. How you ultimately accomplish that is up to you.

Resources