Hey everyone! I'm diving into Azure documentation to figure out the necessary firewall rules for installing the Azure disk encryption extension, specifically for enabling the managed disk encryption type 'SSE with PMK and ADE.' I'm looking at the resources on Azure Disk Encryption for Windows VMs and about accessing Azure Key Vault behind a firewall. My main question is whether I need a firewall rule that allows my VMs to access the Microsoft.Storage and Microsoft.KeyVault service tags. In short, do I just need outbound access to the Azure storage and Key Vault service endpoints, along with HTTPS and DNS protocols? By the way, my VMs route through an NVA with a default route of 0.0.0.0/0 to the NVA's LAN interface, which supports service tags!
2 Answers
You can use service endpoints if you're looking for an alternative. They allow requests from your virtual network to go through Azure's backbone instead of the public internet, still requiring a firewall rule if you're using one. But you might not need that firewall rule or route if service endpoints are utilized with an NVA and a default route. They perform similarly to private endpoints but usually involve less management. Just keep in mind that you might lose some control over client access if you choose this route!
Private endpoints are definitely the way to go! They will assign a private IP to your Storage Accounts and Key Vaults right from your virtual network, ensuring you can completely block internet access. Most compliance requirements prefer this setup nowadays. You might want to stick with that option. Just a heads up, service endpoints can also work, changing your traffic routing through Azure's network instead of the internet, which is also pretty effective.
Thanks! I'll give that a go. I'm assuming one private endpoint for Key Vault should be enough.
Totally agree, it was a bit tricky when we set this up too!
I find service endpoints to be less complex. No additional costs or custom DNS needed, which is a huge plus for performance!