Hey everyone! I'm looking for some advice on how to secure an Azure storage account. We want to restrict access to it based on a specific Azure service tag. The challenge is that the service needing access spans over 200 different subnets! Is there a straightforward way to manage this? Should I be using a Network Security Group (NSG) for this? Just to clarify, the service in question is D365FO, which isn't an Azure service, so it'll require public access. Any tips would be greatly appreciated!
2 Answers
I recommend setting up a private endpoint along with an NSG. This is key for controlling network ingress to your PaaS resources. Once you have your service in a relevant subnet, you can apply the NSG and utilize service tags for further control. Just keep in mind this adds a layer of complexity since the service isn’t natively within Azure.
Totally agree, but make sure to clarify how the public service will interact with the NSG. It can get tricky since it’s an external service.
Many Microsoft products have some level of VNet integration or support VNet injection, so it's worth exploring those options as well. This might help with your configuration and access control.
That's a solid approach! Just make sure you've correctly set up the private endpoint to avoid any connectivity issues.