locked
Add Client Address Pool to Storage Account RRS feed

  • Question

  • Hello,

    I'd like to have a storage account only accessible from within the virtual network, and use a point-to-site VPN to connect a client to the storage account via the Storage Explorer. Is this possible?

    I've followed the instructions to the letter, and it seems that the client address pool cannot be part of the virtual network. Because the pool cannot be part of the virtual network, you cannot restrict the storage account to Selected networks? 

    It also clearly says you cannot add private network blocks to the firewall rules.

    I'm certain I'm not the first to come across this, how have other people solved this? Thanks!


    Joe

    Monday, April 30, 2018 3:09 PM

Answers

  • Service Endpoints restrict access to a vnet. You will not be able to access the storage endpoint over the P2S connection as we only advertise the vnet address space and not the storage routes to the vpn client. However, we are considering adding this functionality in the future.

    Tuesday, May 1, 2018 8:05 PM

All replies

  • You need to enable the Microsoft Azure storage service endpoint to an existing virtual network,  where you deployed your virtual network gateway. Service endpoints provide direct connection from a network to an Azure service like storage for securing the data.

    For more information suggest you to refer the following documentation on Configure Azure Storage Firewalls and Virtual Networks. Also suggest you to check the link for Restrict network access to PAAS resources with virtual network service endpoints. See if this helps.

    Disclaimer: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet. 

    -----------------------------------------------------------------------------------------------

    If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here

    • Proposed as answer by YASWANTH MADI Monday, April 30, 2018 7:11 PM
    • Unproposed as answer by Joe Crockett Monday, April 30, 2018 8:14 PM
    Monday, April 30, 2018 7:11 PM
  • Hi Yaswanth, thanks! I appreciate your help.

    I have confirmed that my virtual network is configured to use the Microsoft.Storage service endpoint.

    I'm not looking to connect a VM client to the Storage account (which is both of your examples) --- I'm looking to connect via a VPN client from an Azure Virtual network gateway.


    Joe

    Monday, April 30, 2018 8:17 PM
  • It occurs to me, I could more clearly state my question this way:

    How to add the Microsoft.Storage service endpoint to my Virtual network gateway's client address pool?


    Joe

    Monday, April 30, 2018 8:20 PM
  • Service Endpoints restrict access to a vnet. You will not be able to access the storage endpoint over the P2S connection as we only advertise the vnet address space and not the storage routes to the vpn client. However, we are considering adding this functionality in the future.

    Tuesday, May 1, 2018 8:05 PM
  • Thank you, all: Yaswanth, Ali, and Travis.

    Joe

    Wednesday, May 2, 2018 9:30 PM
  • You are Welcome
    Thursday, May 3, 2018 12:02 PM