Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

James Kindon - 11.09.2020

Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

When working with Azure files, it is important to ensure that traffic destined for your files shares is both secured and routed in an optimal fashion. There are several options for securing and changing network flows for services in Azure, with a focus on Azure files, below is a breakdown of the options and some considerations.

SERVICE ENDPOINTS AND FIREWALLING THE AZURE STORAGE ACCOUNT

By default, an Azure storage account is configured with a “public endpoint” and is open to traffic sourced from anywhere. The storage account is available and accessible over the public internet (this changes slightly within the Azure fabric, but for the purposes of this article, assume it’s the same).

A public endpoint is not necessarily a bad thing depending on your requirements; however, it is important to be aware that unless you lock the account down, it is open by default.

Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

Storage Account Firewall

Storage accounts provide an inbuilt firewall, allowing you to restrict access to specific source IP addresses, and/or Azure virtual networks and subnets.

Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

Allowed Subnets via Firewall

When securing a storage account and restricting to an Azure Virtual network, you will need to be leveraging Service Endpoints on virtual networks (VNets). VNet service endpoints provide secure and direct connectivity to Azure services via the Azure backbone network. Endpoints lockdown critical Azure service resources to only specific virtual networks.

Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

Service Endpoints on the VNET

When enabling Service Endpoints and accessing a Storage Account, traffic to the storage account is switched to use IPv4 rather than public addresses (NAT) as per the below image.

Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

Microsoft Image on Service endpoint IP changes

This is typically perfect for say, FSLogix Containers that are accessed from Azure VM’s only. You can lock down the storage account to allow traffic only from specific subnets on your VNET whilst leveraging an optimal path to the Storage Account over the Azure fabric.

Be aware that when you lock down the storage accounts, you will lose access to view data on the shares from either the Azure Portal, or Azure Storage Explorer unless you allow the public IP you are coming from. Luckily, the Storage Account firewall detects what this is, and offers a nice easy “apply” option. If you have a dynamic IP address, don’t forget to remove your exemption once you have finished your tasks.

Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

Locked out of Azure file shares in the portal

SERVICE ENDPOINT POLICIES

Virtual Network (VNet) service endpoint policies effectively allow you to control specifically which Storage Accounts are accessed over the service endpoint and which are not. This gives much more granular security control for protecting data exfiltration from your virtual network.

Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

Service Endpoint Policy

PRIVATE ENDPOINTS

You may not want any form of public endpoint connexion to Azure Storage accounts, this may be a security mandate, and can be addressed specifically with the use of Azure Private Endpoints.

Azure Private Endpoint is a network interface that connects privately (as in IPv4) to a service backed by Azure Private Link. Private Endpoint uses a private IPv4 address from an existing VNet, effectively bringing the service (in this context, storage account) into the VNet itself. If you have an ExpressRoute or IPSec VPN connexion into Azure, you can also leverage the private endpoint, however DNS is king, and can be a little tricky to get working.

The image below is taken straight from the Microsoft documentation and outlines nicely how the Azure Private Link solution fits together.

Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

Microsoft Image on Private Link

In my demo account below, I have blocked any form of public endpoint connexions to my storage account via the use of the Firewall (note that there is no need for firewall configurations when using private endpoints).

Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

Azure Storage Account Firewall

I have also configured and connected a private endpoint to my storage account:

Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

Private Endpoint on the Storage Account

This endpoint is configured with an IPv4 address in one of my existing subnets, which is also routable over my IPSec VPN tunnel:

Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

Endpoint IPv4 detail

The Private Link Centre shows the connexions are active:

Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

Azure Private Link Center

When connecting to a private link resource using a fully qualified domain name (FQDN) it is critical to correctly configure DNS settings to resolve to the allocated private IP address. It is well worth reading through the detail from Microsoft.

An Azure Private link DNS zone has been configured to handle Azure DNS (this helps Azure switch the DNS response from the default public IP, back to a private IP owned by the endpoint, based on the source of the request – a private endpoint doesn’t mean you can’t use a public at the same time), to note, my VM’s in Azure leverage my existing Active Directory based DNS servers, so there were a few additional steps to achieve correct DNS lookups. Azure wants you to use a forwarder from a VM in Azure to its hosted DNS servers, however this didn’t suit me, so DNS being DNS, I manipulated it accordingly. Not posting the steps here as I don’t want to push potentially bad practices but can share on request (and you can probably track through in the screenshots anyway).

Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

Azure Private Link Center

When connecting to a private link resource using a fully qualified domain name (FQDN) it is critical to correctly configure DNS settings to resolve to the allocated private IP address. It is well worth reading through the detail from Microsoft.

An Azure Private link DNS zone has been configured to handle Azure DNS (this helps Azure switch the DNS response from the default public IP, back to a private IP owned by the endpoint, based on the source of the request – a private endpoint doesn’t mean you can’t use a public at the same time), to note, my VM’s in Azure leverage my existing Active Directory based DNS servers, so there were a few additional steps to achieve correct DNS lookups. Azure wants you to use a forwarder from a VM in Azure to its hosted DNS servers, however this didn’t suit me, so DNS being DNS, I manipulated it accordingly. Not posting the steps here as I don’t want to push potentially bad practices but can share on request (and you can probably track through in the screenshots anyway).

Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

DNS Details for the endpoint

When using private endpoints for Azure services, traffic is secured to a specific private link resource. The platform performs an access control to validate network connexions reaching only the specified private link resource.

Below shows my on-premises server, its name resolution when accessing the storage account, and the associated SMB connexion to prove the point – all private.

Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

Private endpoints aren’t always the best solution and need to be thought through. Potentially think about a use case where an isolated DR environment is brought online (via ASR), and accesses in read only mode, existing FSLogix Containers stored in an Azure Storage account. Given that the DR environment is 100% isolated, private endpoints are not suitable, however with Service Endpoints, we can securely provide access across the Azure fabric.

There is a cost associated with each private endpoint, so you will need to factor this into your decision-making process.

SUMMARY

Endpoints are a key component to securing and optimising traffic flow when dealing with Azure Storage Accounts. With the recent GA announcements associated with Azure Files and Active Directory Domain Join capability, Azure Files will become more and more prevalent for EUC based workloads such as FSLogix Containers, Citrix Profile Management and alternate file services, it will be important to ensure that this data is both secure, and accessible in an optimal fashion.

This blog was originally published on jkindon.com on 16/06/20 and reproduced with permission.

THANK YOU FOR YOUR SUBMISSION!

Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

The form was submitted successfully.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

Australia | Securing and Optimising Access to Azure Storage Accounts with Azure Endpoints

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.