locked
Restricting Access to a Storage Account to vNets in Separate Regions RRS feed

  • Question

  • Our Azure layout will contain one vNet which has a direct connection to our onprem network and located in the Azure East US region. I also have a V2 storage account in the same region as well. We have a test / DR vNet which is in the Azure West US region. We intend to have our backup solution copy on disk data to the Azure storage account nightly. In the event of a DR situation / test we would fail over to our DR VM instances in West US, but these VM's need access to the Azure storage account in the East US region. I need to lock down the storage account so they are not publicly accessible. When you restrict access by vNet, the vNet needs to be in the same region as the Storage Account. You can add IP ranges which would work for our onprem setup, but the source IP from our VM's can be all over the place.  This there a better way to do this?
    Thursday, July 4, 2019 6:29 PM

Answers

  •  Correct, when using Azure Gov Cloud all the data remains in US.

    Kindly let us know if the above helps or you need further assistance on this issue. 
    ------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" and Up-vote on the post that helps you, this can be beneficial to other community members.

    Wednesday, July 10, 2019 6:52 AM

All replies

  • @compdigit44 Apologies for the delay!

    As I understand you need to securing storage account with VNET from a different region am I correct, if not please correct me?

    We have a new feature in progress which will allow VNETs in another region to access storage accounts through the storage firewall. This will be supported for all storage accounts, lifting the below restriction for RA-GRS instances and paired-regions.

    Business continuity and disaster recovery (BCDR): Azure Paired Regions.

    Azure operates in multiple geographies around the world. An Azure geography is a defined area of the world that contains at least one Azure Region. An Azure region is an area within a geography, containing one or more datacenters.

    Each Azure region is paired with another region within the same geography, together making a regional pair.

    Cross-region activities

    Azure Storage- If you're using managed disks, learn about cross-region backupswith Azure Backup, and replicating VMsfrom one region to another with Azure Site Recovery. If you're using storage accounts, then geo-redundant storage (GRS) is configured by default when an Azure Storage account is created. With GRS, your data is automatically replicated three times within the primary region, and three times in the paired region. For more information, see Azure Storage Redundancy Options.

    Resources deployed through some Azure PaaS services (such as Azure Storage and Azure SQL Database), can restrict network access to only resources in a VNet through the use of virtual network service endpoints. For details, see Virtual network service endpoints overview.


    Additional information: If you want to inspect or filter the traffic destined to an Azure service from a virtual network, you can deploy a network virtual appliance within the virtual network. You can then apply service endpoints to the subnet where the network virtual appliance is deployed, and secure Azure service resources only to this subnet. This scenario might be helpful if you wish to restrict Azure service access from your virtual network only to specific Azure resources, using network virtual appliance filtering. 

    Kindly let us know if the above helps or you need further assistance on this issue.
    ------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" and Up-vote on the post that helps you, this can be beneficial to other community members

    Monday, July 8, 2019 4:30 AM
  • Thank you for your reply. I understand the concept about paired regions where West US 2 is paired with West Central US etc... This is great, but it still does not allow me to grant a vNet from another region access to a Storage Account in a separate region, but it sounds like this is in the the works. With Gov Cloud, my understanding it what Geo-Replication only replicates data within the US correct? Also is the following assumption correct. In the Storage Account firewall, you can set it to restrict access to select networks. In the blade that opens, if you do not select a vNet, all VM's regardless of region will still be able to access the storage account since it will go over the Azure back bone which cannot be blocked. Is this correct? If so, what is preventing other users in Azure from trying to access our storage account?
    Monday, July 8, 2019 10:37 AM
  • Geo-redundant storage GRS: Cross-regional replication to protect against region-wide unavailability.

    If your storage account has GRS enabled, then your data is durable even in the case of a complete regional outage or a disaster in which the primary region isn't recoverable.

    Geo-redundant storage (GRS) is the default and recommended replication option. GRS replicates your data to a secondary region (hundreds of miles away from the primary location of the source data). GRS costs more than LRS, but GRS provides a higher level of durability for your data, even if there is a regional outage.

    An application that accesses a storage account when network rules are in effect requires proper authorization on the request. Authorization is supported with Azure Active Directory (Azure AD) credentials for blobs and queues, with a valid account access key, or with an SAS token.

    Configure storage accounts to deny access to traffic from all networks (including internet traffic) by default. Then grant access to traffic from specific VNets. This configuration enables you to build a secure network boundary for your applications. You can also grant access to public internet IP address ranges, enabling connections from specific internet or on-premises clients.

    Network rules are enforced on all network protocols to Azure storage, including REST and SMB. To access the data with tools like Azure portal, Storage Explorer, and AZCopy, explicit network rules are required.

    The following table provides a quick overview of the scope of durability and availability that each replication strategy will provide you for a given type of event (or event of similar impact)


    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.
    ------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Tuesday, July 9, 2019 7:33 AM
  • To confirm, when using Geo-replication within the Azure Gov cloud, all data stays within the US correct?
    Tuesday, July 9, 2019 10:58 AM
  •  Correct, when using Azure Gov Cloud all the data remains in US.

    Kindly let us know if the above helps or you need further assistance on this issue. 
    ------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" and Up-vote on the post that helps you, this can be beneficial to other community members.

    Wednesday, July 10, 2019 6:52 AM