Last week we announced general availability for Virtual Network (VNet) Service Endpoints and Firewalls for Azure Storage in all Azure public cloud and Azure Government regions. The announcement can be seen here: Virtual Network Service Endpoints and Firewalls for Azure Storage now generally available
Azure Storage Firewalls and Virtual Networks use Virtual Network Service Endpoints to allow administrators to create network rules that allow traffic only from selected VNets and subnets, creating a secure network boundary for their data. This enhances both security and performance by extending your VNet private IP space and identity directly to Azure Storage without leaving the Azure Government data center infrastructure. This allows customers to secure critical storage resources to only their virtual networks, providing private connectivity to these resources and removing dependencies on Internet facing public IP addresses. Azure Government ExpressRoute customers who are required to route VNet traffic back to on-premise before accessing public facing services can also expect to see performance improvements when accessing Azure Storage. Virtual machines in private VNets will now be able to reach storage resources directly without the need to hairpin traffic on-premise to Public/Microsoft peering or to the Internet.
Supporting defense in depth design practices, as part of Firewalls and Virtual Network Service Endpoints for Azure Storage we enable network-based access control for Azure Storage. Network-based access control allows customers to define access control based on IP, ensuring that only requests coming from customer specified Azure VNets or public IP ranges or addresses will be allowed reachability to a specific storage account. This new network-based feature combined with existing authentication and authorization mechanisms provides Azure Government customers with a defense in depth approach to securing their critical data.
To get started, refer to the documentation Virtual Network Service Endpoints and Configure Azure Storage Firewalls and Virtual Networks.
To allow access from on-premises networks and support for various Azure services to your secured storage accounts, refer to our documentation.
For feature details and scenarios please watch the Microsoft Ignite session, “Network security for applications in Azure”.