What Are the Risks of Enabling Public Network Access for Storage Accounts and Key Vaults?

Enabling public access is like having a secondary security layer. You still need to set up proper authorization and authentication along with network security. If your storage account or Key Vault is public and somehow your access keys leak, then you could be in trouble regardless of your network setup. It's usually best to keep public access off if you’re handling sensitive data!

Just keep in mind that when your storage account has unrestricted network access, the entire internet can technically reach it. To access the data, users still need the correct access keys or the right RBAC roles, but if those keys leak, you're at risk.

Always remember these security tips: 1) If someone wants access, they'll find a way. 2) Make it difficult for them. 3) Assume that anything exposed could be compromised. Just good reminders for dealing with public access!

Public bots constantly scan for open endpoints on the internet. If your storage account keys or Key Vault access policies leak, there’s a significant chance your data could be compromised. Weigh the costs of securing these systems with private links against the risks of having public access, especially for critical data!

Always opt for private endpoints for east-west traffic and on-prem connections. Service endpoints can be a good choice but should only be used in specific cases.

If you don’t have a private endpoint for your storage account or Key Vault, your data traffic is exposed to the internet. The SD-WAN only connects you to Azure resources linked to a virtual network. If your company wants to keep traffic within Azure or your internal network, consider setting up private endpoints instead.