Access Azure Storage from Azure VM without outbound internet - azure

I have VNET with DMZ and multiple internal subnets configured. There is security requirement to block all the outbound internet connection for the internal subnets.
Now, this VM needs to access Azure blob storage which hosted in the same region.
I am wondering to access Azure Blob storage without outbound internet connection.
Pondering on questions like
1) Can I attach Azure Storage account in my azure VNET
2) Can there is existing solution, where I am access internet via JUMP-BOX network configuration, where my VM internet traffic goes via Jump box
3) Can this be achieve via Network ACLs or some better solution?
Now, this question is mix of networking and azure services, not sure of the right forum for this, server-fault or stack-overflow?

Azure Storage uses a public endpoint, as it's a multi-tenant service. You cannot add your Azure storage account to your VNet, since this is not an endpoint you control.
You'll need to access storage directly, via its <storagename>.blob.core.windows.net endpoint. How you ultimately accomplish that is up to you.

Related

Subnet Delegation and Service Endpoints for Azure SQL Database in a vnet?

If I am setting up an Azure SQL Database in a vnet which Azure App Service and Azure Function will access. Is using both Subnet Delegation and Service Endpoints the right way to go? I didn't fully understand the documentation.
Regarding subnet delegation, I read this Microsoft article and this stackoverflow post, which stated:
When you delegate a subnet to an Azure service, you allow that service to establish some basic network configuration rules for that subnet, which help the Azure service operate their instances in a stable manner.
That sounds like a good thing but makes me wonder how it worked efficiently w/o subnet delegation.
As for Service Endpoints, I read this Microsoft article, which states:
Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
Does that mean I cannot reach the Azure SQL Database from my home machine w/a firewall rule?
They both sound like they have the same benefits and I'm struggling to understand the difference. I suppose the larger question is should I enable both for the simple architecture outlined above.
In the Microsoft service endpoints documentation they also mention:
Microsoft recommends use of Azure Private Link for secure and private access to services hosted on Azure platform. For more information, see Azure Private Link.
For some reason that seems like an Azure to on-premise thing.
• You cannot use a ‘Subnet Delegation’ along with a ‘Private endpoint’ since that subnet is delegated for the said service, in your case, the Azure SQL Database. Through a subnet delegation, you can define the NSG association for it, as well as associate multiple delegated subnets to a common NSG. You can also define the IP Address space for the delegated subnet, the route table association with it, the custom DNS entry configuration in Azure DNS as well as define the minimum number of IP Addresses available for that delegated subnet. Similarly, with regards to service endpoint, these stated functions are not available.
• In service endpoint, you do not have control over the routing mechanism as well as the IP address related allotment, reservation, or configuration. Also, managing DNS entries for the resources managed through them and controlling them through a firewall or NAT gateway isn’t required unlike a subnet delegation because all these things are managed by Microsoft Azure’s backbone network on your behalf.
Thus, both have their own features and specifications for enabling you to configure according to your own requirements.
Does that mean I cannot reach the Azure SQL Database from my home machine w/a firewall rule?
Yes, you will have to create a firewall rule to allow the access from on-premises system to Azure SQL Server/Database and configure the service endpoint accordingly to allow the VPN client IP Addresses for accessing the same over public internet.
Also, through Azure private link, you won’t be able to connect from on-premises to Azure as it uses a private IP address and a private DNS zone entry related to it to connect to Azure resources in the same virtual network.
To know more regarding the configuration of Azure service access from on-premises network, kindly refer to the below given link: -
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#secure-azure-service-access-from-on-premises
Also, refer to the below snapshots regarding the configuration and selection of service endpoint for a particular subnet: -

Is there a way to prefer Azure Service Endpoint over Private Endpoint?

Scenario:
I have a hub & spoke architecture with Azure Firewall, which acts as my DNS server to VNets in all spokes. I also have a VPN connection, which I use to transfer data to my Azure Data Lake Storage Gen2. For that I use Private Endpoint, which is configured with Private DNS Zone associated with a Hub network.
So for - all great, all my traffic is secure, wherever I connect to my ADLS Gen2 from premises or from Databricks in Azure.
Now here's the problem. It costs a lot of money since Azure Private Endpoints charges you for inbound and outbound traffic.
So the question is, is there away to tell my Databricks nodes to use Service Endpoint (which is free) rather than Private Endpoint since Azure Firewall DNS always returns a private IP for my ADLS? I still need to keep Private Endpoint to be able to securely connect from my premises.
• Though you cannot create a service endpoint directly for the Azure Databricks workspace to transfer data from the Azure Data Lake Storage Gen 2 to it, but you can surely connect your Azure Databricks workspace to your on-premises network through the transit virtual network gateway created in the virtual network where your Azure Databricks workspace is peered. For that purpose, you will have to set up Azure virtual network gateway in the virtual network in which ADLS Gen2 has been deployed.
• Once the above said has been done, peer the virtual networks in which the private endpoint is configured and the one where ADLS Gen2 storage account is configured such that the Azure Databricks workspace is able to create a virtual network peering with the virtual network where Service endpoint for the Microsoft storage account is configured.
• Then configure the user defined routes and associate them with your Azure Databricks virtual network subnets and validate the setup. Kindly refer to the network diagram below for more clarification: -
For more information, kindly refer to the documentation link below: -
https://learn.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/on-prem-network

Azure Functions storage account network security

I am currently working with a client that requires access to all Azure resource locking down as much as possible and I am having problems with the Storage Account that is utilised by our Azure Functions.
With the Firewalls and Virtual Networks blade in portal set to "All Networks" I am able to deploy to the Function App and it runs without issue.
However once I enable the access restriction by checking "Selected Networks"no matter what virtual network subnets I enter or IP Addresses I can not get the communication to work
I have entered the Outbound IP Addresses of our Consumption based Function App and also check that the additional IP Addresses from the Powershell and all have been added to the whitelist. I have also added all the CIDR IP ranges of the local Azure datacenter but again it does not work.
The problem we have is that once the access restrictions have been put into place we are unable to deploy to the Function App and the app no longer runs. Is this scenario supported and what is the mechanism for tying down access to the Storage Account so that only the Function App can utilise it.
As far as I know, you have two options to restrict access to your storage account from your function app or web app.
Whitelist the outboundIpAddresses and possibleOutboundIpAddresses of the function app in the firewall of the storage account. However, it does not work if the Azure function app and Azure storage located in the same region refer to Sam's answer.
when you hit the storage account from your function, because they are
in the same region as each other, all the traffic goes over the
internal Azure network on internal IP's, not the public IPs listed in
the web app, and so is not allowed over the firewall.
If your resources were in different regions, you could use the network section of function app to allow function app to access resources in a VNet, then enable service endpoint for Microsoft.Storage in this app integration subnet. But you need Azure Functions Premium plan referring to this tutorial: integrate Functions with an Azure virtual network.
Sometimes, the deployment order for networking is important. In this case, you will deploy the followings:
Firstly, you could deploy new VNet integration with an unused subnet. After the VNet Integration is completed and the function app is restarted, you could enable service endpoint for this subnet. In the end, you could add the subnet in the firewall of the storage account.
Note that the new version is in Preview, currently. You could also check these characteristics and get more references from this thread.

Azure Functions access to Azure Storage Account Firewall

What am I trying to achieve
Connect to an Azure BLOB storage account that sits behind a firewall through an Azure Function.
Steps Taken so Far
Azure Function developed and tested against public storage account which works as expected.
Following Azure Resource Explorer for my Azure Function I find out the outbound addresses("outboundIpAddresses" entry) and I add them in the firewall of the storage Account.
Issue
While trying to run the Azure Function against the storage account with the firewall I am getting a Status: 500 Internal Server Error - This request is not authorized to perform this operation.
What am I missing here?
You won't be able to achieve what you want here currently. When you hit the storage account from your funciton, because they are in the same region as each other, all the traffic goes over the internal Azure network on internal IP's, not the public IPs listed in the web app, and so is not allowed over the firewall (I have had this confirmed by Azure support). Because you don't have access to the internal IPs of the function, and even if you did they can change, you can't whitelist them.
If your resources were in different regions, traffic would go over the external IPs and you would have more success.

Azure Storage firewall open to Azure App Service

I have an Azure Storage account and need to enable the storage firewall.
I have added the outbound IP addresses of my App Service, but the firewall still prevents access. (I know that these addresses can change, but they change predictably, so I can live with that.)
Is there a solution to grant an App Service access to the Storage account other than disabling the firewall (and other than using an ASE, which isn't an option)?
So it turns out that in a new Azure Storage account with a new App Service, setting the storage firewall to the outbound IPs of the App Service does work as expected. Unless the client browser is actually doing the download, adding the client's IP is not required.
Edit
This only works reliably when the storage account is in a different data centre to the App Service. When they are both in the same data centre, an internal outbound address (e.g. 10.x.x.x) is presented from the App Service to the Storage account. Internal addresses cannot be added to the Storage firewall.
If you access your web app service from on-premises networks, you need to grant access from your on-premise networks to your storage account with a public Internet-facing IP address used by your network. You can get more details from Grant access from an internet IP range
If you have VNet Integration with your apps. You should first enable service endpoints for storage in the VNet. You can refer to Grant access from a virtual network.

Resources