Hey everyone! I'm diving into Azure documentation to figure out what firewall rules are necessary for installing the Azure disk encryption extension, specifically for enabling managed disk encryption with the settings "SSE with PMK and ADE." I'm referencing two pieces of Azure documentation: the overview for disk encryption on Windows VMs and how to access the Azure Key Vault behind a firewall. I'm trying to determine if I'll need a firewall rule to allow my VMs access to the Microsoft.Storage and Microsoft.KeyVault service tags. Ultimately, do I just need outbound access for Azure storage and Key Vault service endpoints while enabling HTTPS and DNS protocols? My VMs are currently configured to point to an NVA with a default route (0.0.0.0/0), which supports service tags.
2 Answers
Private endpoints are definitely a solid solution for this. It gives your Storage Accounts and Key Vaults a private IP, completely blocking internet access, which is often a compliance necessity. Go with the standard option if security is a major concern!
+1 on this! Setting it up was a bit tricky for us too.
Private Endpoints are great, but you could also consider service endpoints. They reroute requests through the Microsoft backbone instead of the internet, giving you some of that 'pseudo-private' experience. Both require a firewall rule if you’re routing everything through a firewall/NVA, though!
Actually, you don't need a firewall rule with service endpoints, even when paired with an NVA and a 0.0.0.0/0 route. I prefer them for ease of use and performance, but keep in mind that security could be a bit more relaxed since you can’t restrict clients as much within the subnet.
Thanks! I'll give that a try. Just to confirm, an x1 Private Endpoint for Key Vault should do the trick, right?