Create Microsoft Service for firewall enabled boot diagnostic storage account
We want to use a firewall enabled storage account for our boot diagnostics, because the logs / screenshots are reachable from the internet as per default.
Could you please create microsoft service or a workaround for that?
Because we receive the following error message if we want to reach the serial console of a VM.
"A "Forbidden" response was encountered when accessing this VM's boot diagnostic storage account."
reference link for the error:
To disable firewall of a storage account for Azure VM boot diagnostics is not secure! A better solution is needed by Microsoft.
Agree with others....c'mon Microsoft, it seems every security feature is half-baked. Give this some priority and get it done.
John Crim commented
I agree - it's a ridiculous, insecure, and poorly documented requirement that boot diagnostics, and the serial console, won't work if the boot diagnostics storage account has the firewall enabled, and network access limited to the vnet the servers are on. The implication is that network security can't be used to protect access to boot diagnostics.
I do not understand why this is not yet implemented. Firewall on the account is absolutely senseless if you cannot access console. Btw. I also notice the same problem exists for Azure Functions which cannot access protected storage accounts and Azure Logic Apps even that are all Azure internal services. So I did not find any possibility to automate the removal of old files.
S Böhme commented
Similar to example storage account exceptions:
"allow trusted microsoft services to access this storage account"