Hi there
Did you know that Storage accounts on Azure come with Firewall disabled by default allowing external access (any to storageaccountname)? Before you ask me, that doesn’t happen with AWS.
What about to fix 100 storage accounts by hand. Powershell can assist you on that.
If you’re running Azure Storage accounts on Production, UAT or DEV keep an eye on it.
Go to your Azure Portal
Search for Storage accounts on Home \ All services if that’s not pinned already.
Go on each storage account and click on Firewalls and virtual networks under settings
You should see “allow access from” set to All networks (default option)
Fixing manually
Change to selected networks
Explore the following options:
-
+ Add existing virtual network
- select from the list all VNETS that you need to associate to this storage account allowing access to it
-
+ Add new virtual network
- add / create a new VNET that you’ll associate to this storage account allowing access to it
-
Firewall
-
Add IP ranges to allow access from the internet or your on-premises networks. (if you need to lock this down to an Internet IP address – your home ip address for example) TIP: it always detect your current internet ip address – check yours at IPChicken
-
Fixing using powershell
Coming soon.
I’m still working on a script to do this by subscription, resource groups and its associated VNETs. Client’s production, uat or dev environments after deployed it will have a high complexity around naming convention for azure resources as well as for the required ones for this task: VNETs, subnets and storage accounts names.
Checking usign AZ CLI
Reference
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#grant-access-from-an-internet-ip-range
Thanks,