Configure Azure Storage Firewalls and Virtual Networks

rw-book-cover

Summary

Configure layered network security for your storage account by using the Azure Storage firewall.

Highlights

To restrict access to Azure services deployed in the same region as the storage account. Services deployed in the same region as the storage account use private Azure IP addresses for communication. So, you can't restrict access to specific Azure services based on their public outbound IP address range. ([View Highlight] (https://read.readwise.io/read/01hmaa9ez7ets2ntrnzt51v9kk))

Trusted access for resources registered in your Microsoft Entra tenant
Resources of some services can access your storage account for selected operations, such as writing logs or running backups. Those services must be registered in a subscription that is located in the same Microsoft Entra tenant as your storage account. The following table describes each service and the allowed operations.
Expand table
Service
Resource provider name
Allowed operations
Azure Backup
Microsoft.RecoveryServices
Run backups and restores of unmanaged disks in infrastructure as a service (IaaS) virtual machines (not required for managed disks). Learn more.
Azure Data Box
Microsoft.DataBox
Import data to Azure. Learn more.
Azure DevTest Labs
Microsoft.DevTestLab
Create custom images and install artifacts. Learn more.
Azure Event Grid
Microsoft.EventGrid
Enable Azure Blob Storage event publishing and allow publishing to storage queues.
Azure Event Hubs
Microsoft.EventHub
Archive data by using Event Hubs Capture. Learn More.
Azure File Sync
Microsoft.StorageSync
Transform your on-premises file server to a cache for Azure file shares. This capability allows multiple-site sync, fast disaster recovery, and cloud-side backup. Learn more.
Azure HDInsight
Microsoft.HDInsight
Provision the initial contents of the default file system for a new HDInsight cluster. Learn more.
Azure Import/Export
Microsoft.ImportExport
Import data to Azure Storage or export data from Azure Storage. Learn more.
Azure Monitor
Microsoft.Insights
Write monitoring data to a secured storage account, including resource logs, Microsoft Entra sign-in and audit logs, and Microsoft Intune logs. Learn more.
Azure networking services
Microsoft.Network
Store and analyze network traffic logs, including through the Azure Network Watcher and Azure Traffic Manager services. Learn more.
Azure Site Recovery
Microsoft.SiteRecovery
Enable replication for disaster recovery of Azure IaaS virtual machines when you're using firewall-enabled cache, source, or target storage accounts. Learn more.
Trusted access based on a managed identity
The following table lists services that can access your storage account data if the resource instances of those services have the appropriate permission.
Expand table
Service
Resource provider name
Purpose
Azure FarmBeats
Microsoft.AgFoodPlatform/farmBeats
Enables access to storage accounts.
Azure API Management
Microsoft.ApiManagement/service
Enables access to storage accounts behind firewalls via policies. Learn more.
Microsoft Autonomous Systems
Microsoft.AutonomousSystems/workspaces
Enables access to storage accounts.
Azure Cache for Redis
Microsoft.Cache/Redis
Enables access to storage accounts. Learn more.
Azure AI Search
Microsoft.Search/searchServices
Enables access to storage accounts for indexing, processing, and querying.
Azure AI services
Microsoft.CognitiveService/accounts
Enables access to storage accounts. Learn more.
Azure Container Registry
Microsoft.ContainerRegistry/registries
Through the ACR Tasks suite of features, enables access to storage accounts when you're building container images.
Microsoft Cost Management
Microsoft.CostManagementExports
Enables export to storage accounts behind a firewall. Learn more.
Azure Databricks
Microsoft.Databricks/accessConnectors
Enables access to storage accounts.
Azure Data Factory
Microsoft.DataFactory/factories
Enables access to storage accounts through the Data Factory runtime.
Azure Backup Vault
Microsoft.DataProtection/BackupVaults
Enables access to storage accounts.
Azure Data Share
Microsoft.DataShare/accounts
Enables access to storage accounts.
Azure Database for PostgreSQL
Microsoft.DBForPostgreSQL
Enables access to storage accounts.
Azure IoT Hub
Microsoft.Devices/IotHubs
Allows data from an IoT hub to be written to Blob Storage. Learn more.
Azure DevTest Labs
Microsoft.DevTestLab/labs
Enables access to storage accounts.
Azure Event Grid
Microsoft.EventGrid/domains
Enables access to storage accounts.
Azure Event Grid
Microsoft.EventGrid/partnerTopics
Enables access to storage accounts.
Azure Event Grid
Microsoft.EventGrid/systemTopics
Enables access to storage accounts.
Azure Event Grid
Microsoft.EventGrid/topics
Enables access to storage accounts.
Microsoft Fabric
Microsoft.Fabric
Enables access to storage accounts.
Azure Healthcare APIs
Microsoft.HealthcareApis/services
Enables access to storage accounts.
Azure Healthcare APIs
Microsoft.HealthcareApis/workspaces
Enables access to storage accounts.
Azure IoT Central
Microsoft.IoTCentral/IoTApps
Enables access to storage accounts.
Azure Key Vault Managed HSM
Microsoft.keyvault/managedHSMs
Enables access to storage accounts.
Azure Logic Apps
Microsoft.Logic/integrationAccounts
Enables logic apps to access storage accounts. Learn more.
Azure Logic Apps
Microsoft.Logic/workflows
Enables logic apps to access storage ([View Highlight] (https://read.readwise.io/read/01j4r6rwhmcbbm49g804a87r3j))