Azure Storage Account: Firewall and virtual networks - azure

I have enabled Virtual Network and Firewall access restrictions for Azure Storage Account, but faced the issue, that I do not have an access to Storage Account from Azure Functions(ASE environment), despite fact that ASE public address is added as exception. Additionaly, I have added all environment's virtual networks just to make sure.
Is there any way to check from which address functions/other services is trying to get an access to storage account?
Also, I have a tick "Allow trusted Microsoft services to access this storage account
". I'm not sure what is included into "trusted Microsoft services".
In the Application Insight Functions logs, only timeout issue appears, without additional explanation.
Could you please help me to understand how to properly configure storage account access restriction?

Have a look of this doc:
https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services
From your description, I think you dont give a RBAC role to your azure function to access the storage.
Do this steps:
If you need more operation. Like do something with the data. Do need to add more RBAC roles, have a look of this offcial doc to learn more about RBAC roles:
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#all

Related

Restricting access to storage account containing package blob for cloud service (extended support) deployment

I'm nearly done migrating our cloud service (classic) deployments to cloud service (extended support). I'm working now on updating deployment pipelines. My package blob is located in a storage account. I create a SAS for the blob and use an API call to management.azure.com to create/update the deployment, passing ARM template as the body of the request.
This works correctly as long as the storage account with the package blob has its network set to "allow access from all networks". I want to restrict this access. I set the allow access from:
specific IP addresses of our devops servers
our own IP addresses
private vnet/subnets for the cloud service
I also tick the "Allow Azure services on the trusted services list to access this storage account" checkbox.
Yet, API call fails with error message indicating access is not allowed to the blob. When I change the storage account network configuration to "allow access from all networks", everything works correctly.
With lots of searches, I found only one hit explaining the same problem - https://github.com/Azure/azure-powershell/issues/20299 - yet no solution has been suggested other than allowing access from all networks.
I must be missing some trick - but what is it? How can I restrict access to the storage account?

Accessing Azure Storage Accounts with Selected Network Enabled

As per the requirements, I need to Enable Firewall with Selected Network ON for Azure Storage Accounts. But when I do the same along with adding all required IPs, Azure Function App and Azure Data Factory is going down.
Currently the VNET is unavailable and cannot be created. Managed Identity is not an option as Contributor role unavailable.
Is there a way to to configure the Data Factory and Function Apps after enabling FireWall with selected networks for Azure KeyVault and Azure Storage Accounts.
Please find the below steps helps to work around:
Is there a way to to configure the Data Factory and Function Apps after enabling FireWall with selected networks for Azure KeyVault and Azure Storage Accounts.
When Network rules like specified IP Addresses, IP Ranges, subnets are configured to the storage accounts, then that storage accounts can only be accessed by applications that request data over the specified set of networks or through the specified set of Azure resources.
Also, the option Allow Trusted Services is set to ON while enabling the firewall for a storage account, which allows connectivity from Azure trusted services like Data Factory, Azure functions, etc.
Visit this documentation to know the list of trusted services allowed to access a key vault in Azure.
You have to create the VNet, attach to the Azure Function App which helps to connect to the Storage Account.
Currently the VNET is unavailable and cannot be created. Managed Identity is not an option as Contributor role unavailable.
To enable a service endpoint for a subnet/IP Addresses attached to Storage account, you can have custom role like Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action.
Refer to MSFT Docs1 and here for more information.

Azure Storage Account Firewall Permissions for Vulnerability Assessment

I have created a storage account for use in storing the results of an Azure Vulnerability Assessment on an Azure SQL Database.
If the firewall on the storage account is disabled, allowing access from all networks, Azure Vulnerability Scans work as expected.
If the firewall is enabled, the Azure Vulnerability Scan on the SQL Database reports an error, saying the storage account is not valid or does not exist.
Checking the box for "Allow Azure services on the trusted services list to access this storage account." in Networking properties for the storage account does not work to resolve this issue, though it is the recommended step in the documentation here: https://learn.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-storage
Allow Azure Services
What other steps could resolve this issue, rather than just disabling the firewall?
You have to add the subnet and vnet that is being used by the SQL Managed Instance as mentioned in the document you are following . You can refer the below screenshot:
After enabling the service endpoint status as shown in the above image , Click Add . After adding the vnet it should look like below:
After this is done , Click on save and you should be able to resolve the issue.
Reference:
Store Vulnerability Assessment scan results in a storage account accessible behind firewalls and VNets - Azure SQL Database | Microsoft Docs

Shared or private resources on azure portal

My company has a Microsoft account (office365, mails, ...)
I plan to work with azure virtual machines.
There is something strange: all my virtual machines and all my azure resources (websites, ...) are private. My collegues cannot manage them. They can connect with ssh but they don’t see entry in there azure portal account.
Is there a way to share all the azure resources in the whole company, for all users ?
Thanks
You have to assign role to see azure resources. In azure we have a bunch of predefined roles for example - reader. If you assign reader role at the subscription level, so the member can read all resources located in that subscription, but can not make any changes. Here can you read more about roles based access control
Why users can connect to vm, but can't see in the portal? My bet is that VM ports are not blocked and all internet can connect to those VM's.

How to provide access to storage account in Azure using service principal

I have a account in Azure portal. When I try to access to the specific storage account, its says "Access denied" and unable to open the blob container.
But I have created the storage account using the service principal which got all access.
Now I want to view the storage account using my Azure user account.
Is there way to provide permissions using service principal?
According to your description, it seems that the special storage account that with firewall set or in the Virtual Networks.
If "Allow access from All networks " is possible, you could choose that or you could add your localhost public ip to allow access it from the internet . For more information, please refer to the screenshot.

Resources