Hey everyone, I'm looking for some guidance on how to secure an Azure storage account. I need to allow access specifically for a certain Azure service tag since the service that requires access spans across more than 200 subnets. Is using a Network Security Group (NSG) the way to go? Just for context, the service is Dynamics 365 for Finance and Operations, which doesn't qualify as an Azure service, so it needs to have public access.
2 Answers
You might want to consider setting up a private endpoint along with an NSG. Having a private endpoint gives you control over the network ingress to your PaaS resource. By placing it in a subnet, you're able to effectively apply an NSG and use service tags to manage access.
I’m curious though, how can a public service access the NSG and connect to the storage account on that private endpoint? Since it’s an external service, does it complicate things?
Most of the Microsoft products tend to support some form of VNet integration or VNet injection. This could possibly be another route you could explore for securing access.
That’s a straightforward solution! I think if you get that set up, it should work well.