iCompaas Support

Profile Applicability:

• Level 2

Description:
 This setting allows trusted Azure services (such as Azure Backup, Azure Site Recovery, and Azure DevOps) to bypass storage account firewall restrictions and access the storage account securely. Enabling this setting facilitates seamless integration and operation of Azure services while maintaining network security controls.

Rationale:
 Allowing trusted Azure services access ensures that critical Azure platform services can interact with the storage account without exposing it to the public internet. This supports secure, managed access essential for backup, monitoring, and automation workflows.

Impact:

Pros:

• Enables smooth operation of key Azure services with storage accounts.
  

• Maintains firewall restrictions while permitting trusted service access.
  

• Enhances integration and automation capabilities.
  

Cons:

• Slightly broadens access scope but limited to Microsoft trusted services.
  

• Requires ongoing trust in Azure service security posture.
  

Default Value:
 This setting is often disabled by default and should be enabled as per security policies.

Pre-requisites:

• Azure subscription with permissions to modify storage account firewall settings.
  

• Awareness of Azure trusted services list.
  

Remediation

Test Plan:

Using Azure Portal:

1. Log in to https://portal.azure.com.
   

2. Navigate to Storage Accounts and select the target account.
   

3. Go to Networking > Firewalls and virtual networks.
   

4. Verify that Allow Azure services on the trusted services list to access this storage account is enabled.
   

Using Azure CLI:

1. Check the setting:\
   

   az storage account show --name --resource-group --query networkRuleSet.bypass

2. Confirm that bypass includes AzureServices.
   

Implementation Plan

Using Azure Portal:

1. In the storage account Networking settings, enable Allow Azure services on the trusted services list to access this storage account.
   

2. Save changes and validate service connectivity.
   

Using Azure CLI:

1. Enable trusted services bypass:
   

   az storage account update --name --resource-group --set networkRuleSet.bypass=AzureServices

2. Confirm update.
   

Backout Plan

Using Azure Portal:

1. Disable the trusted services bypass if required.
   

2. Notify stakeholders of changes.
   

Using Azure CLI:

1. Remove trusted services bypass:
   

   az storage account update --name --resource-group --set networkRuleSet.bypass=None

References:

• Azure Storage Firewall and Virtual Networks
  Trusted Microsoft Services