How can we improve Azure Storage?

Whitelist all Microsoft services in Storage account Firewall

Whitelist all Microsoft services including Azure Data Factory when the "Firewall and Virtual Network" option is enabled on Storage account and "Allow trusted Microsoft services to access this storage account" option is selected.

Similar option is already available on Azure Data Lake store, where we can access Data Lake from Data Factory pipelines after the firewall option is enabled.

322 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Vivek shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

23 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Sharath commented  ·   ·  Flag as inappropriate

    Is there any update yet on this issue? I have my Key Vault behind a Vnet and a runbook to insert some data into KeyVault started failing with Forbidden since Vnet was enabled.

  • joseph commented  ·   ·  Flag as inappropriate

    It's been over a year and Microsoft still has not whitelisted certain services. I still cannot keep audit logs from sql server behind a firewall. i guess they want me to upgrade.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This is a huge issue. It's not possible to whitelist all the datacenter IPs as there is a limit with how many rules you can add. It's ridiculous that not all the Microsoft services are included.

  • A commented  ·   ·  Flag as inappropriate

    as another poster says:

    "you get dinged by security advisor for having un-firewalled storage accounts, yet it is impossible to use the storage firewalls with a number of azure services"

  • George Payne commented  ·   ·  Flag as inappropriate

    Argh. You get dinged by security advisor for having un-firewalled storage accounts, yet it is impossible to use the storage firewalls with a number of azure services (currently, you cannot back up Azure Files to a Vault with the firewall on, and you cannot run a snapshot creator script from a runbook with the firewall on)..there is the Hybrid Runbook worker solution, but spinning up VMs for this is not what we had in mind.

  • simo commented  ·   ·  Flag as inappropriate

    We have found the same issue with our storage accounts that interact with Azure Automation Runbooks. After some investigation we found that Azure does not define an IP Address Range that the runbooks connect from. This article (https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsocial.msdn.microsoft.com%2FForums%2Fazure%2Fen-US%2F26bd07d4-05bc-446f-a4d5-c185f517d8bb%2Fstorage-account-firewall-and-azure-automation%3Fforum%3Dwindowsazuredata&data=02%7C01%7CSimon.Marley%40willistowerswatson.com%7Cf24be825013f458cfb4908d6ac827445%7C76e3921f489b4b7e95479ea297add9b5%7C0%7C0%7C636886073633457607&sdata=qg778ky5XWgOd7vsobpdQezuvsk6XPaqVkq%2FTjc4NFA%3D&reserved=0) suggests that we configure the Storage Accounts firewall to include all Azure Data Center IP’s for the region the Automation account exists in. We tried to configure the Firewall for North Europe’s data center IP’s, which exceeded a limit of 100 IP addresses / address ranges allowed on each Storage Account firewall instance. Adequate security can't be applied without having some whitelisting capabilities for MSFT services.

  • Mark Waksman commented  ·   ·  Flag as inappropriate

    I would like to enable Azure SQL Database Auditing and target a storage account with firewall enabled. I feel uneasy writing SQL audit logs to a storage account without proper firewall controls in place, regardless of how well its access keys are guarded.

    Any updates? Thanks.

  • james commented  ·   ·  Flag as inappropriate

    Are there any update on this? After we enabled the FW & Vnet on our SA, we could not even deploy from our Azure DevOps pipelines, unable to connect Azure SQL DB Auditing and Azure storage explorer.!!

  • Filipe Ines commented  ·   ·  Flag as inappropriate

    We need to enable SQL server auditing to access the Blob storage account, with "firewall and virtual network" enable, but it's not possible this message pop up "Please choose a storage account without any firewall rules or virtual network configurations."

  • Alek J commented  ·   ·  Flag as inappropriate

    Any update on this fix? It's been open for about a year now, and is a bug by any definition -- not a new feature request. These aren't preview features we're talking about, but production services which don't work as advertised.

  • Anonymous commented  ·   ·  Flag as inappropriate

    We need add SQL DB auditing to access to Blob storage account when "Allow trusted Microsoft services to access this storage account" option is selected.

  • Blaine commented  ·   ·  Flag as inappropriate

    In my particular case, I'd like to have my Azure Automation Runbooks be able to access an Azure storage account that is firewalled.

← Previous 1

Feedback and Knowledge Base