Description:
Using Private Endpoints for accessing Azure Storage Accounts ensures that all communication to and from the storage account occurs over a private IP address within a Virtual Network (VNet), rather than the public internet. This configuration prevents unauthorized access from the public network and helps meet stricter security and compliance requirements by limiting exposure to external threats.
Rationale:
By enforcing the use of Private Endpoints, organizations can ensure that all traffic to storage accounts is isolated within their internal network and is not exposed to the public internet. This is crucial for maintaining a strong security posture and protecting sensitive data from external threats, such as data interception or unauthorized access. It also helps meet regulatory requirements like SOC 2, HIPAA, and GDPR, which mandate strong security controls for accessing and storing sensitive data.
Impact:
Enforcing the use of Private Endpoints ensures secure, private network access to storage accounts. However, this may require modifications to existing applications or services that are designed to access storage accounts over public networks. It is important to ensure that all services and resources interacting with the storage account are configured to use the Private Endpoint.
Default Value:
By default, Azure Storage Accounts are accessible over both public and private networks. Private Endpoints must be explicitly configured and enforced to ensure network isolation.
Pre-requisites:
Azure account: Ensure you have appropriate permissions to configure Azure Storage Account settings and Virtual Network (VNet) resources.
Azure Storage Account: Ensure the storage account exists and is accessible.
Permissions: You need appropriate permissions, such as Owner or Contributor role, to modify the storage account and configure private endpoint settings.
VNet: Ensure that the required Virtual Network and subnet for the Private Endpoint are available.
Remediation:
Audit:
To check if Private Endpoints are being used for accessing your Azure Storage Accounts:
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to the Azure Storage Account.
Check Private Endpoint configuration:
In the left-hand menu, under Settings, click on Private Endpoint Connections.
Verify that the storage account is associated with a Private Endpoint.
Ensure that the Private Endpoint is configured within a trusted Virtual Network (VNet) and subnet.
Implementation:
To ensure that Private Endpoints are used to access all Azure Storage Accounts, you can use Azure Policy.
Create a custom Azure Policy to ensure Private Endpoints are used for storage account access:
Go to the Azure portal.
Navigate to Policy and click on Definitions.
Create a new Custom Policy with the following content:
{
"properties": {
"displayName": "Ensure Private Endpoints are Used to Access Storage Accounts",
"policyType": "Custom",
"mode": "All",
"description": "This policy ensures that Azure storage accounts use Private Endpoints for network access, prohibiting public access.",
"parameters": {},
"metadata": {
"version": "1.0.0",
"category": "Network"
},
"policyRule": {
"if": {
"field": "Microsoft.Storage/storageAccounts/privateEndpointConnections[*]",
"exists": "false"
},
"then": {
"effect": "deny"
}
}
}
}Assign the policy:
After creating the custom policy, assign it to the relevant subscriptions or resource groups to ensure that all Azure storage accounts are required to use Private Endpoints for access.
Backout Plan:
To revert the setting (though it is not recommended from a security perspective):
Sign in to the Azure portal with appropriate permissions.
Navigate to the Azure Storage Account.
Go to Private Endpoint Connections:
In the left-hand menu, under Settings, click on Private Endpoint Connections.
Remove Private Endpoint:
Disconnect or delete the associated Private Endpoint.
If needed, change the network access settings to allow public access.
If the setting was enforced via Azure Policy, modify or remove the policy to allow non-private endpoint access.