none
Is there a secure Azure storage option accessible over ExpressRoute (without opening SMB ports)? RRS feed

  • Question

  • Hi all

    We're trying to find a secure Azure storage option that our security team will be happy with; we need to put PII/personal 
    data on this. We're in the UK so there's strict GDPR rules. 

    Our multiple sites are currently connected to our WAN which is connected to our Azure space via ExpressRoute. VMs are set up in secure VNets (private IP addresses) and VNet peering is used (with the necessary BGP/firewall settings) to allow access from these sites. Security are happy with this.

    We need to use our existing robocopy scripts to copy some personal data from our sites to some sort of 'secure' Azure storage (mapped drive/file path - can't use SFTP for this).

    Previously we considered:

    Azure storage/files/BLOB etc: only routable via Public IP address over the internet (security does not like this – outside world could ‘hack’ into)
    Azure disk mounted on a VM accessible over ExpressRoute by opening up firewalls to SMB ports (security does not like this; malware uses these ports)

    What other alternatives are there? 

    I did look into Service Endpoints (some good info here: https://kvaes.wordpress.com/2019/03/10/hardening-your-azure-storage-account-by-using-service-endpoints/). That does seem to restrict the Azure Storage to be only accessible from your defined VNet and not via the internet (even though it's using a PubliC IP). However, I keep being told by our experts that this WON'T be accessible via ExpressRoute, even if that VNet is VNet peered... can't really get a technical answer why this won't work though? Anyone able to confirm or deny/explain why not?

    I recently came across Microsoft Peering which I initially thought allowed you to connect to Microsoft services (such as Azure storage) to your private VNets but it seems it’s a little different than that and effectively defined public services would be accessed via ExpressRoute... but even then it’s still using Public IPs (although security may be more comfortable as the traffic is over ExpressRoute and not the public internet? Could hackers still gain access?) – some more info here:

    https://docs.microsoft.com/en-us/azure/expressroute/expressroute-circuit-peerings

    I've since had an update that we might now go down the route of Microsoft Peering - but it may not be for several months as part of another program and I need a solution quicker than that.

    Any ideas welcome!

    Thanks
    Ross
    Thursday, September 5, 2019 1:56 PM

All replies

  • Just for clarification: Have you referred to private link service operations, new top-level resource that provides capabilities to create a private service and expose for consumption using private endpoints.

    See here for more info: Private Link Services

    Friday, September 6, 2019 1:40 PM
    Moderator
  • Hi Ross thanks for the detailed post, currently the only supported option would be to use the Service Endpoint option, I checked regarding if expressroute would work in that scenario, but i did not receive a positive answer on that. There could be a new product that could resolve this issue in the future but we don't have an ETA.
    Friday, September 6, 2019 9:34 PM
    Moderator
  • Hi, thanks for that, it's not something I've come across before. The link shows some technical resources to check/manage said Private Links... I can't seem to find any Azure documentation though on these and how they work?
    Monday, September 9, 2019 10:25 AM
  • Hi, thanks for the response. It looks like you can use Service Endpoints and secure them like so:

    https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#securing-azure-services-to-virtual-networks

    However, we don't have Microsoft Peering set up yet nor Public Peering (which I believe is being phased out) so this would have to go over the internet rather than ExpressRoute... something I believe our security team would not be happy with.

    Monday, September 9, 2019 10:27 AM
  • Firstly, apologies for the delay in responding here. 
    We introduced a limited preview for private endpoints for storage, which is currently available in East US, West Central US, and West US. It will be available in Europe in the coming weeks, In the meantime, you can test it in the regions where its available.

    Private endpoints will enable users to securely access the storage account through a private IP address in their VNet. You can use the storage firewall to block access to the storage account from all public endpoints.

     Private endpoints! = Service Endpoints​. In private endpoints, the traffic is routed through a secure tunnel. not over the internet. The tunnel between the vnet and the storage account.

    Hope this helps! 
    Kindly let us know if the above helps or you need further assistance on this issue. 

    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Tuesday, September 17, 2019 7:09 AM
    Moderator
  • Many thanks for this, sounds interesting!

    So, Service Endpoints aren't routable over ExpressRoute - are Private Endpoints?

    Wednesday, September 18, 2019 9:54 AM
  • Looks like they are!

    https://azure.microsoft.com/en-us/services/private-link/

    Thursday, September 19, 2019 11:07 AM
  •  Service Endpoints aren't routable over ExpressRoute - are Private Endpoints? Yes

    Kindly let us know if the above helps or you need further assistance on this issue. 

    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.


    Monday, September 23, 2019 9:01 AM
    Moderator
  • Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Tuesday, September 24, 2019 12:06 PM
    Moderator
  • Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Wednesday, September 25, 2019 9:30 AM
    Moderator
  • @mrrossi Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know
    Thursday, September 26, 2019 5:31 AM
    Moderator
  • Is there any update on the issue?

    If the suggested answer helped for your issue, do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members.

    Friday, September 27, 2019 9:15 AM
    Moderator