Hey there! I've got a customer using an Azure VM with a public IP address, and they need to access my storage account, which is also in the same region. I thought I could set up the firewall on the storage account to allow access from selected virtual networks and IP addresses, and I whitelisted their IP. However, I'm starting to think this isn't going to work because of the following limitation: IP network rules don't apply to clients in the same Azure region as the storage account. Instead, it seems I should be using virtual network rules to permit these same-region requests. I really don't want to implement a Service Endpoint between their subnet and my storage account. Are there any other solutions I could explore? Thanks!
3 Answers
You can definitely whitelist the VM's subnet in the storage account firewall, but I remember you expressed wanting to avoid service endpoints. Just a heads up: whitelisting based on IP isn't the most scalable solution. Have you considered how manageable maintaining that setup will be for multiple clients in the future?
You could consider using a private endpoint within their tenant instead of a service endpoint. When you mentioned avoiding service endpoints, I assume you want to keep things simple between you and your customer. But think about it—private endpoints can streamline access without needing a full service endpoint configuration. Why do you hesitate to use them?
Another option is to whitelist the VM’s subnet directly on the storage account firewall using Azure CLI. Even if the admin of the storage account can't see their VM subnet, you can still allow it. Here's a quick idea: check out the documentation on whitelisting VNet subnet IDs. It worked in a similar situation I faced!
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures