Azure-docs: Storage Account firewall

Created on 13 Nov 2019 · 4Comments · Source: MicrosoftDocs/azure-docs

I could still connect to storage account from outside the Vnet even after enabling Private endpoint. I could no longer connect to the Vnet after selecting firewall rule "Selected networks" (as it is supposed to be) and saving it without any white listing whatsoever.
My question is that, are we supposed to enable firewall on a storage account to make it private after configuring private endpoints?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: bed2e199-b8cc-81d0-a739-b9acb46950bd
Version Independent ID: 7028bfc9-dd53-9a7a-b561-e7292e8aa055
Content: Connect privately to a storage account using Azure Private Endpoint
Content Source: articles/private-link/create-private-endpoint-storage-portal.md
Service: private-link
GitHub Login: @KumudD
Microsoft Alias: kumud

Pri2 cxp in-progress private-linsvc product-question triaged

Source

geoano

All 4 comments

@geoano Azure Private Link allows you to access resources via a DIP in your VNET. VNETS that do not have outbound internet connectivity will still be able to access the resource.

If you would like to make the storage account private and accessible only from your virtual networks, then you can enable the storage account firewall. This is not a required configuration and you can set it as needed for your environment.

Please let me know if you need any additional clarification.

TravisCragg-MSFT on 14 Nov 2019

@geoano , Do you have any update on this issue?

msrini-MSFT on 17 Nov 2019

@geoano We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.

TravisCragg-MSFT on 18 Nov 2019

😕1

@geoano I too am having this problem. I have "Selected Networks" chosen and have the subnet containing the Private Endpoint added to the list. I see that I can add my public IP to the whitelist of the firewall but that would only allow traffic coming from my IP over the Internet which is not what I'm trying to accomplish. How should the firewall on the storage account be configured to allow traffic from on-prem (via expressroute) to the storage account without going over the Internet?