Profile Applicability:

  • Level 2

Description:

Azure Elastic SAN is a high-performance, scalable storage solution in Azure. By default, public network access is enabled, which may expose resources to the internet. This check ensures public network access is disabled, allowing access only through private networks.

Rationale:

Disabling public network access for Azure Elastic SAN significantly reduces the attack surface by ensuring that the storage is not accessible from public endpoints. This helps:

  • Prevent unauthorized external access

  • Enforce traffic only via trusted private networks

  • Meet compliance and regulatory requirements for secure data access

Impact:

Pros:

  • Blocks unauthorized public access

  • Enhances security posture for sensitive storage workloads

  • Aligns with zero-trust network strategies

Cons:

  • Requires configuration of private endpoints or virtual networks

  • May introduce complexity in network routing and access policies

  • Increases setup time and operational management in multi-tier environments

Default Value:

By default, public network access is enabled at the SAN level, although access to individual volume groups is denied unless explicitly allowedCIS_Microsoft_Azure_Sto….

Pre-requisites:

  • Elastic SAN must be deployed in a region that supports private endpoints.

  • Network configuration should support private access (e.g., VNets, NSGs, route tables).

  • Azure CLI or PowerShell modules should be updated to the latest version.

Test Plan:

Using Azure Console:

  1. Go to the Azure Portal.

  2. Navigate to Elastic SANs.

  3. Select the Elastic SAN resource.

  4. Under Settings, choose Networking.

  5. Verify that Public network access is set to Disabled.

Using Azure CLI:

Run:

az elastic-san list

For each Elastic SAN, run:

az elastic-san show --resource-group <resource-group> --name <elastic-san>

Ensure the output shows:

"publicNetworkAccess": "Disabled"

Using PowerShell:

Run:

Get-AzElasticSan -ResourceGroupName <resource-group> -Name <elastic-san>

Then check:

$elasticsan.PublicNetworkAccess

  1.  Ensure the result is Disabled.

Implementation Plan:

Using Azure Console:

  1. Navigate to Elastic SANs.

  2. Select the SAN you want to secure.

  3. Go to Networking under Settings.

  4. Set Public network access to Disabled.

  5. Click Apply to save the changes.

Using Azure CLI:

Run:

az elastic-san update --resource-group <resource-group> --name <elastic-san> --public-network-access Disabled

Using PowerShell:

Run:

Update-AzElasticSan -ResourceGroupName <resource-group> -Name <elastic-san> -PublicNetworkAccess Disabled

Backout Plan

Using Azure Console:

  1. Go to the Elastic SAN resource in the Azure portal.

  2. Navigate to Networking.

  3. Set Public network access back to Enabled.

  4. Click Apply to save.

Using Azure CLI:

Run:

az elastic-san update --resource-group <resource-group> --name <elastic-san> --public-network-access Enabled

Using PowerShell:

Run:

Update-AzElasticSan -ResourceGroupName <resource-group> -Name <elastic-san> -PublicNetworkAccess Enabled

References: