1

Azure Storage Accounts can have their access restricted by IP address or an Azure virtual network (with a Microsoft.Storage service endpoint). When this is done, the storage resource will only accept connections from those designated origins. This covers data operations (read, write, etc.) and control operations (create new container, etc.); I'm calling these the "data" and "management" planes, respectively.

Is it possible to isolate these at a networking level (e.g., with a firewall), or can it only be done at a role level? For example, could I have a VM on the same network that can only do control operations, regardless of the roles of the principal?

Xophmeister
  • 125
  • 6

1 Answers1

1

The operations for Azure storage are split as you say, data and management. The data piece is through the storage API's where as the management goes through the Azure Resource Manager API's, which are the management API's used for all services.

Storage accounts have the concept of a firewall, where you can restrict what IP's can access the storage account, this covers the data side of things. If you blocked someone using this firewall then they will still be able to make management requests to ARM (assuming they have the rights).

Blocking access to ARM for the management side is much harder, and you are better looking at using permissions for this.

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113
  • Thanks :) When running Terraform from my local machine, I was seeing rather that both data *and* management access were blocked when my storage is given network rules (see [here](https://stackoverflow.com/questions/71022815/creating-azure-storage-containers-in-a-storage-account-with-network-rules-with)). I've got around this by building management infrastructure, which is allowed to connect to the storage. What I want to avoid, however, is being able to make data requests from that management infrastructure. (Forgive any lack of understanding on my part! Azure it quite new to me.) – Xophmeister Mar 01 '22 at 16:53
  • 1
    Ok this is a bit tricky. The ability to create a container in a storage account is actually a data plane operation (it probably shouldn't be, but it is), so if you need Terraform to create the container, then it will need access through the firewall. If you were just creating the storage account alone, you would not need to grant this level of access. That means that the management infrastructure will have access to the data plane. – Sam Cogan Mar 05 '22 at 18:42