This blog post was co-authored by Anitha Adusumilli, Principal Program Manager, Azure Networking.
Today we are announcing the general availability of Firewalls and Virtual Networks (VNets) for Azure Storage along with Virtual Network Service Endpoints. Azure Storage Firewalls and Virtual Networks uses Virtual Network Service Endpoints to allow administrators to create network rules that allow traffic only from selected VNets and subnets, creating a secure network boundary for their data. These features are now available in all Azure public cloud regions and Azure Government. As part of moving to general availability it is now backed by the standard SLAs. There is no additional billing for virtual network access through service endpoints. The current pricing model for Azure Storage applies as is today.
Customers often prefer multiple layers of security to help protect their data. This includes network-based access control protections as well as authentication and authorization-based protections. As part of the general availability of Firewalls and Virtual Networks for Storage and VNet Service Endpoints we enable network-based access control. These new network focused features allow the customer to define network access-based security ensuring that only requests coming from approved Azure VNets or specified public IP ranges will be allowed to a specific storage account. Customers can combine existing authorization mechanisms with the new network boundaries to better secure their data.
To enable VNet protection, first enable service endpoints for storage in the VNet. Virtual Network Service Endpoints allow you to secure your critical Azure service resource to only your virtual network. Service endpoints also provide optimal routing for Azure traffic over the Azure backbone in scenarios where Internet traffic is routed through virtual appliances or on-premises.
On the storage account you can select to allow access to one or more VNets. You may also configure to allow access to one or more public IP ranges. A detailed explanation on how to enable the network functionality can be found at Configure Azure Storage Firewalls and Virtual Networks.
To get started, refer to the documentation Virtual Network Service Endpoints and Configure Azure Storage Firewalls and Virtual Networks.
To allow access from on-premises networks and support for various Azure services to your secured storage accounts, refer to our documentation.
For feature details and scenarios please watch the Microsoft Ignite session, “Network security for applications in Azure”.