iCompaas Support

Profile Applicability:

• Level 2

Description:
 Private Endpoints provide secure, private connectivity from a virtual network to Azure Storage Accounts by mapping a private IP address to the storage resource. Using Private Endpoints eliminates exposure to the public internet, ensuring all traffic remains within the trusted virtual network.

Rationale:
 Accessing Storage Accounts through Private Endpoints enhances security by restricting access to private networks only. It reduces the attack surface by preventing public internet access and supports compliance with network segmentation and data protection policies.

Impact:

Pros:

• Eliminates exposure of storage accounts to the public internet.
  

• Enables granular network security controls and monitoring.
  

• Supports regulatory compliance for private data access.
  

Cons:

• Requires DNS configuration to resolve private IP addresses.
  

• May introduce complexity in network setup and maintenance.
  

Default Value:
 By default, Storage Accounts allow public network access until Private Endpoints are configured.

Pre-requisites:

• Azure Virtual Network and subnet configured for Private Endpoints.
  

• Permissions to create and manage Private Endpoints and DNS settings.
  

Remediation

Test Plan:

Using Azure Portal:

1. Sign in to https://portal.azure.com.
   

2. Navigate to the Storage Account.
   

3. Under Networking or Private endpoint connections, verify that at least one Private Endpoint is configured.
   

4. Confirm that public network access is disabled or restricted as per policy.
   

Using Azure CLI:

1. List Private Endpoints associated with the storage account:
   

   az network private-endpoint list --resource-group --query "[?contains(customDnsConfigs[].fqdn, '')]"

2. Verify presence of Private Endpoints and their connection status.
   

Implementation Plan

Using Azure Portal:

1. Create a Private Endpoint in the desired virtual network and subnet for the Storage Account.
   

2. Configure DNS to resolve storage account names to private IP addresses.
   

3. Disable public network access or restrict it to enforce private connectivity.
   

4. Test connectivity from virtual network resources.
   

Using Azure CLI:

1. Create a Private Endpoint:
   

   az network private-endpoint create --name --resource-group --vnet-name --subnet --private-connection-resource-id --group-ids blob --connection-name

2. Configure Private DNS Zone and link it to the virtual network.
   

3. Disable public network access if required:
   

   az storage account update --name --resource-group --default-action Deny

Backout Plan

Using Azure Portal:

1. Delete the Private Endpoint if necessary.
   

2. Re-enable public network access or adjust network rules accordingly.
   

Using Azure CLI:

1. Delete the Private Endpoint:
   

   az network private-endpoint delete --name --resource-group

2. Enable public network access if required:
   

   az storage account update --name --resource-group --default-action Allow

References:

• Azure Private Endpoint Overview
  Secure Access to Azure Storage with Private Endpoints