locked
Adding storage service endpoints to subnets - any risks? RRS feed

  • Question

  • Hi All

    We are securing our storage accounts in Azure. The first step is to enable storage service endpoints on the subnets we have defined. 

    Is there any reason not to or risk to enabling storage service endpoints on subnets? My understanding is that the traffic destined for storage will be picked up and directed via the Azure backbone once they are enabled on the subnet. 

    Firewall rules on storage accounts will be set up once the endpoints are in place so that we can select the subnets we want. 

    So step one is just to enable storage service endpoints. It strikes me a pretty risk free/a transparent change... or am I missing something - is there something I need to look out for. 

    Thanks 

    Jody

    Friday, November 22, 2019 10:02 AM

Answers

  • Hi,

    Is depend of what Azure Asset/Resources you will connect to this storage account.

    Take example, if it's used by VM, I suggest to create private link vs enabling storage service endpoints on subnet;

    https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-storage-portal#access-storage-account-privately-from-the-vm

    NB: The idea behind endpoints on subnet is that traffic from your VNet to the Azure service always remains on the Microsoft Azure backbone network.

    Private Link is asset scope vs Endpoint is Azure Backbone scope.


    Cordialement, Best Regards, مع أجمل تحياتي ESSALIFI Mohamed Faiçal [MCT-MCSE]. If your question is answered please mark the response as the answer so that others can benefit.

    Sunday, November 24, 2019 12:27 PM
  • @jmf123 Apologies for the delay in responding here! 

    If your just talking Azure and not onprem too, then yes that by enabling service endpoints on subnets will give you improved security and optimal routing. If your using Azure Data Lake Storage (ADLS) Gen 1, I believe there is some limitations around region. Same applies for Azure SQL Databases, some exceptions. Also once you enable service endpoints in your vnet you can add a virtual network rule to secure the resources to all your subnets. But yes, pretty straight forward and risk free, secures all traffic between your VNet and the storage account over a private link. Azure storage firewall provides access control access for the endpoint of your storage account.

    Kindly let us know if the above helps or you need further assistance on this issue.
    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Monday, November 25, 2019 5:59 AM

All replies

  • Hi,

    Is depend of what Azure Asset/Resources you will connect to this storage account.

    Take example, if it's used by VM, I suggest to create private link vs enabling storage service endpoints on subnet;

    https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-storage-portal#access-storage-account-privately-from-the-vm

    NB: The idea behind endpoints on subnet is that traffic from your VNet to the Azure service always remains on the Microsoft Azure backbone network.

    Private Link is asset scope vs Endpoint is Azure Backbone scope.


    Cordialement, Best Regards, مع أجمل تحياتي ESSALIFI Mohamed Faiçal [MCT-MCSE]. If your question is answered please mark the response as the answer so that others can benefit.

    Sunday, November 24, 2019 12:27 PM
  • @jmf123 Apologies for the delay in responding here! 

    If your just talking Azure and not onprem too, then yes that by enabling service endpoints on subnets will give you improved security and optimal routing. If your using Azure Data Lake Storage (ADLS) Gen 1, I believe there is some limitations around region. Same applies for Azure SQL Databases, some exceptions. Also once you enable service endpoints in your vnet you can add a virtual network rule to secure the resources to all your subnets. But yes, pretty straight forward and risk free, secures all traffic between your VNet and the storage account over a private link. Azure storage firewall provides access control access for the endpoint of your storage account.

    Kindly let us know if the above helps or you need further assistance on this issue.
    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Monday, November 25, 2019 5:59 AM