Tutorial / Cram Notes
Azure Storage accounts can be configured to allow access from specific virtual networks (VNets). This service endpoint can be enabled for a given VNet/subnet, ensuring that only traffic originating from that network can access the storage account.
Steps to configure VNet service endpoints:
- Navigate to your storage account in the Azure portal.
- Under the “Networking” section, go to the “Firewalls and virtual networks” tab.
- Select “Selected networks” under “Allow access from”.
- Click on “Add existing virtual network,” select the desired VNet and subnet, and then click on “Add”.
Apart from VNets, you can also configure firewall rules to allow access from certain public IP addresses or IP ranges.
Steps to configure IP rules:
- Within the same “Firewalls and virtual networks” tab, under the “Firewall” section, type the IP address or IP range that you want to whitelist.
- Click on “Add” to add the IP address or range to the allowed list.
Private Endpoints
Private endpoints provide a private IP address within a VNet for the storage account, offering secure connectivity over Microsoft’s private network rather than going over the public internet.
Steps to configure a private endpoint:
- Go to the “Private endpoint connections” tab under the “Networking” section of your storage account.
- Click on “+ Private endpoint” to create a new one.
- Fill out the required fields to specify the VNet and subnet for the private endpoint, and then complete the creation process.
Service Tags and Resources
Azure uses service tags to define network access controls on networking appliances for several Azure resources. You might configure network security groups (NSGs) with specific tags to limit access to your storage account.
Example of using service tags in NSG:
Priority: 100
Name: Allow-Storage
Port: Any
Protocol: Any
Source: VirtualNetwork
Destination: ServiceTag
Destination Service Tag: Storage.[Region]
Action: Allow
Advanced Threat Protection
Enable advanced threat protection (ATP) for your storage accounts to detect unusual and potentially harmful attempts to access or exploit storage accounts.
Steps to enable advanced threat protection:
- Go to the “Security + Networking” section of your Azure Storage account.
- Click on “Advanced Threat Protection”.
- Set the toggle to “Enabled”.
Monitoring and Logging
Azure provides monitoring and logging capabilities, such as Azure Monitor and Azure Storage Analytics, to track access requests and generate alerts for unusual activities.
Configuring Storage Analytics:
- Navigate to the “Monitoring” section of your Azure Storage account.
- Select “Diagnostic settings” to configure logging for different types of data, such as Blob, Queue, Table, or File storage.
By combining these configurations, administrators can create a robust network access policy tailored to their organization’s needs while also preparing for scenarios likely to be covered in the AZ-104 exam.
A comparison of access controls:
| Access Method | Description | Use Case |
|---|---|---|
| VNet Integration | Limit access to storage accounts from specific VNets | Secure communication within Azure |
| IP Rules | Whitelist certain IP addresses/ranges | Allow external workloads with known IPs |
| Private Endpoints | Provide a private address for the account within a VNet | Securely connect from customer-owned VNets |
| Service Tags | Use predefined tags for Azure resources in NSGs | Simplify setup for network access controls by region |
| ATP | Protection against threats targeting the storage account | Enhance security posture against cyber threats |
| Logging | Detailed information on requests to storage account services | Auditing and troubleshooting storage access activities |
Each access method offers unique advantages, depending on the specific security and architecture requirements of the Azure infrastructure. An Azure Administrator should be knowledgeable about when and how to implement each for maximum security and compliance.
Practice Test with Explanation
True or False: You can restrict access to a storage account by allowing traffic from selected virtual networks only.
- True
Explanation: Azure Storage accounts can be configured with virtual network service endpoints to restrict access to selected VNets.
True or False: Storage account access keys are required to use shared access signatures (SAS).
- False
Explanation: Shared access signatures provide secure delegated access without exposing account keys. They can be created independently of access keys.
What is used to define network access to Azure Storage on a finer level, including by IP address range or VNet?
- A) Azure Policy
- B) Azure Active Directory
- C) Network Security Groups (NSGs)
- D) Virtual Network Service Endpoints and IP network rules
Answer: D) Virtual Network Service Endpoints and IP network rules
Explanation: Virtual Network Service Endpoints and IP network rules are used to define network access to Azure Storage accounts according to IP address range or VNet.
True or False: Once you set up a service endpoint for a storage account, resources in the VNet cannot communicate with any other storage accounts unless explicitly allowed.
- True
Explanation: When a service endpoint is configured for a storage account, traffic from the VNet is restricted to the specified storage account unless rules are defined to allow access to other accounts.
Which of the following is a feature that offers an additional layer of network security on Azure?
- A) Azure Firewall
- B) Azure Blob Storage
- C) Azure Advisor
- D) Azure Storage Explorer
Answer: A) Azure Firewall
Explanation: Azure Firewall offers a highly available and scalable service that creates a barrier between Azure virtual networks and the internet to provide an additional layer of network security.
True or False: Cross-Origin Resource Sharing (CORS) is an Azure feature that helps in restricting access to Azure Storage accounts based on the request’s origin.
- True
Explanation: CORS is a feature that allows or denies requests to Azure Storage services based on the origin of the request, which can be a different domain, scheme, or port.
Which type of shared access signature can be used to provide access to resources in multiple storage accounts?
- A) Account-level SAS
- B) Service-level SAS
- C) User Delegation SAS
- D) None of the above
Answer: A) Account-level SAS
Explanation: An account-level SAS allows you to grant access to resources in one or more of the storage services within multiple storage accounts.
True or False: Azure Private Link provides a way to connect to Azure Storage accounts using Azure’s backbone network without having to expose your storage account to the public Internet.
- True
Explanation: Azure Private Link enables you to access Azure Storage accounts through a private endpoint within your virtual network, providing secure connectivity without exposure to the public internet.
What is the purpose of Azure Storage Service Encryption?
- A) To increase storage capacity
- B) To secure stored data at rest
- C) To enhance processing speed
- D) To monitor storage access patterns
Answer: B) To secure stored data at rest
Explanation: Azure Storage Service Encryption is used to encrypt data at rest to ensure that the data is secure and meets compliance requirements for encryption.
In Azure, which action will revoke all active shared access signatures and require generating new signatures for future access?
- A) Deleting the storage account
- B) Regenerating storage account access keys
- C) Disabling the storage account firewall
- D) Modifying CORS rules
Answer: B) Regenerating storage account access keys
Explanation: Regenerating access keys invalidates all previously issued SAS tokens that are based on those keys and requires new SAS to be created for continued access.
Interview Questions
What is storage account network security?
Storage account network security enables you to control access to your storage account over a network.
What types of networks can access a storage account?
A storage account can be accessed by the internet, Azure virtual networks, or a combination of both.
How can you secure a storage account?
You can secure a storage account by configuring network security rules, using Azure Private Link, or by creating a virtual network service endpoint.
What is a network security rule?
A network security rule is a rule that controls inbound and outbound network traffic for a storage account.
How can you create a network security rule?
You can create a network security rule by specifying the source IP address range, destination IP address range, protocol, and action (allow or deny).
What is Azure Private Link?
Azure Private Link is a networking feature that allows you to access a service over a private endpoint in your virtual network.
How does Azure Private Link work with storage accounts?
With Azure Private Link, you can create a private endpoint for your storage account, which allows you to access your storage account securely over your virtual network.
What is a virtual network service endpoint?
A virtual network service endpoint is a connection to a specific Azure service over the virtual network.
How can you create a virtual network service endpoint for a storage account?
You can create a virtual network service endpoint for a storage account by specifying the virtual network and subnet, and the storage account.
What are the benefits of using network security for storage accounts?
The benefits of using network security for storage accounts include increased security, improved performance, and reduced costs.
How can you monitor network access to a storage account?
You can monitor network access to a storage account by reviewing the logs in Azure Monitor or by using Azure Storage Analytics.
What is the difference between public and private endpoints for storage accounts?
Public endpoints allow you to access a storage account over the internet, while private endpoints allow you to access a storage account over a virtual network.
Can you configure network security rules for a specific container within a storage account?
Yes, you can configure network security rules for a specific container within a storage account by using a shared access signature (SAS).
How can you test your network security configuration for a storage account?
You can test your network security configuration for a storage account by using the Azure Storage Explorer to attempt to connect to your storage account.
What is the recommended approach for securing a storage account over a virtual network?
The recommended approach for securing a storage account over a virtual network is to use Azure Private Link.
Great post on configuring network access to storage accounts! This is really helpful for my AZ-104 prep!
Why do we need virtual network service endpoints when configuring network access to storage accounts?
Can someone explain the difference between service endpoints and private endpoints?
What’s the significance of the Azure Storage firewall?
Feeling confident for the AZ-104 exam now after reading this!
How does Managed Identity play into securing storage account access?
This blog post is a lifesaver! Thanks!
Not enough details on configuring private endpoints. Could you add some more illustrations or examples?