Description:

This control ensures that Azure Storage Accounts are accessed through Private Endpoints, which provide private IP addresses within a virtual network (VNet). Private Endpoints enable secure, private connectivity between Azure Storage and trusted networks, reducing exposure to the public internet.


Rationale:

  • Enhances security by limiting storage access to private networks

  • Reduces risk of unauthorized access or data interception

  • Supports compliance requirements for network isolation of sensitive data


Impact:

  • Reduces the attack surface of Azure Storage Accounts

  • Improves overall security posture and data confidentiality


Default Value:

  • By default, Azure Storage Accounts allow public network access and do not require Private Endpoints.


Pre-requirements:

  • An existing Azure Storage Account

  • Permissions: Owner, Contributor, or Storage Account Contributor

  • Network permissions to create resources in the target VNet


Test Plan:

  1. Sign in to the Microsoft Azure Portal:https://portal.azure.com

  2. Navigate to Storage Accounts

  3. Select the target storage account

  4. Under Security + networking, select Networking

  5. Verify that at least one Private Endpoint is configured for the storage account

  6. If no Private Endpoint is configured, follow the implementation steps.

Implementation Steps:

  1. Sign in to the Microsoft Azure Portal:https://portal.azure.com

  2. Navigate to Storage Accounts

  3. Select the target storage account

  4. Under Security + networking, select Networking

                           

  1. Select Private endpoint

  2. Click + Private endpoint

  1. Select the appropriate Resource Group, Virtual Network, and Subnet

  2. Select the required storage service (for example, Blob)

  3. Review the configuration and click Create


Backout Plan:

  1. Sign in to the Microsoft Azure Portal

  2. Navigate to Storage Accounts

  3. Select the target storage account

  4. Under Security + networking, select Networking

  5. Select Private endpoint connections

  6. Identify the configured Private Endpoint

  7. Delete the Private Endpoint

  8. Confirm changes are saved

Reference: