Configure access to storage
📘Microsoft Certified: Azure Administrator Associate (AZ-104)
Securing access to Azure Storage accounts is a key responsibility for an Azure Administrator. Azure Storage contains business-critical data such as virtual machine disks (VHDs), application logs, shared files, and backups.
To protect this data, Azure provides firewall rules and virtual network integration to control which resources and networks can access a storage account.
This AZ-104 exam topic focuses on how to restrict access, how to allow trusted networks, and how to configure storage account networking settings.
1. Understanding Storage Account Network Access
By default, a new Azure Storage account is accessible from any network over the internet if the correct authentication method (key, SAS token, identity) is used.
But in many IT organizations, this is considered too open, especially when dealing with:
- Virtual machine disks (managed disks stored in Azure Storage)
- Application configuration files
- Database backups exported to Blob Storage
- Shared files used by VMs through Azure Files
To secure access, Azure Storage provides these features:
✔ Azure Storage Firewall
Controls which IP addresses can access the storage account.
✔ Virtual Network (VNet) Integration
Allows only selected Azure VNets/subnets to access the storage account using private endpoints or service endpoints.
Both can be combined to create strict, secure access policies.
2. Storage Account Network Access Options
Inside a storage account → Networking → Firewalls and virtual networks, Microsoft provides three main access models:
Option 1: Allow access from all networks (least secure)
Anyone on the internet can reach the storage account if they have valid credentials.
Used when:
- Testing environments
- Public hosting scenarios
- Temporary access
Not recommended for production.
Option 2: Allow access from selected virtual networks (secure)
You can restrict access so that only resources inside specific Azure VNets/subnets can connect.
Used when:
- Applications running on VMs need storage access
- AKS clusters need to store container images
- App Services need to read/write storage files
- Databases store backups to storage
This option uses:
Two technologies to connect VNets to storage:
● Service Endpoints
OR
● Private Endpoints
You must understand both for the exam.
Option 3: Allow access from specific public IP ranges
You can allow:
- Office IP ranges
- On-premises datacenters
- Secure VPN/ExpressRoute public IPs
- Firewall/proxy IP ranges
This is useful when:
- Admins manage storage from on-premises
- Backup servers push data to Azure
- Corporate devices must access storage via fixed IPs
3. Azure Storage Firewall Rules
Firewall rules restrict access based on the client’s public IP address.
You can allow:
✔ Single IP (e.g., 52.176.200.34)
✔ IP range using CIDR (e.g., 52.176.200.0/24)
✔ Multiple entries
Firewall rules apply to:
- Blob storage
- File shares
- Queues
- Tables
Exam note:
Firewall rules do NOT protect storage account keys or SAS tokens.
They only restrict network paths.
4. Virtual Network Integration Options
Azure provides two main methods to connect VNets to Storage securely:
A. Service Endpoints (older method)
What it does:
A service endpoint extends a VNet subnet to Azure Storage’s public service.
Traffic still goes over Azure’s backbone network but uses the storage account’s public IP (protected by firewall rules).
Key characteristics:
- Traffic remains public but secure
- No private IP is created
- Faster to configure
- Supports VNet ACLs
- Free to use (no extra cost)
When used in IT environments:
- VM-based apps reading/writing from Blob storage
- Azure Functions accessing Azure Files
- Automation tools or backup agents inside a subnet
AZ-104 exam points:
- Service endpoints do not block traffic from the public internet if someone has the right credentials
- But they allow the storage firewall to permit only selected subnets
- Service endpoints do NOT work across VNet peering unless allowed on both sides
B. Private Endpoints (preferred, more secure)
What it does:
A private endpoint assigns a private IP address inside your VNet to the storage account.
Key characteristics:
- Storage is accessible only through your private IP
- Traffic stays entirely inside your VNet
- No public network exposure
- Uses Azure Private Link
- Requires DNS configuration (important for exam)
IT scenario examples:
- Production workloads that require strict network isolation
- Secure data stores for applications
- Storage accessed through ExpressRoute-only connectivity
- Highly regulated environments (financial, government, healthcare)
AZ-104 exam points:
- Private endpoints completely bypass public access
- Public network access can be disabled after configuring private endpoints
- DNS must resolve storage URLs to the private IP
- Private endpoints work across VNets (via peering)
5. Public Network Access Settings
Under Networking settings, you can configure:
1. Enabled from all networks
(default, not secure)
2. Enabled from selected networks
Only allowed:
- Specific VNets (via endpoints)
- Specific IP ranges
3. Disabled (most secure)
Only private endpoints can access the storage account.
Exam trick:
If public network access is disabled, service endpoints stop working — only private endpoints will work.
6. Exceptions: Allow Azure Services to Access Storage
Azure Storage provides two built-in exceptions:
✔ Allow Azure services on the trusted services list
This allows services like:
- Azure Backup
- Azure Site Recovery
- Azure Monitor
- Azure DevOps
- Import/Export service
These use identities managed by Microsoft and need storage access.
✔ Allow read access to storage logging from Azure Diagnostics
Used for monitoring/log analytics ingestion.
7. Logging, Monitoring & Troubleshooting (Exam-Relevant)
Azure provides multiple tools to diagnose network access:
▪ Diagnostic settings
Send logs to:
- Log Analytics Workspace
- Event Hub
- Storage account
▪ Metrics to check
- Auth failures
- Network ACL failures
- Firewall errors
▪ Network watcher
Verify:
- NSG rules
- Route tables
- Connection failures
▪ Storage Browser test
If blocked:
- Check firewall rules
- Check IP address
- Check private endpoint DNS
8. Common AZ-104 Exam Scenarios & Solutions
Scenario 1
A VM in a VNet cannot access a storage account even though the correct key is used.
Fix:
Enable service endpoint or private endpoint on the VM subnet AND add the subnet to the storage firewall.
Scenario 2
You need private-only access to storage.
Solution:
Enable private endpoints and set Public network access = Disabled.
Scenario 3
On-premises servers need to backup to Blob Storage.
Solution:
Add the on-premises public IP range to the storage firewall.
Scenario 4
Azure Kubernetes Service (AKS) needs access to private blob storage.
Solution:
Create a private endpoint and update the DNS in AKS node subnet.
Scenario 5
Firewall rules block Azure Backup.
Solution:
Enable Trusted Azure services.
9. Step-by-Step Configuration (Exam-Friendly)
A. Configure Firewall Rules
- Go to Storage Account
- Select Networking
- Choose Selected networks
- Add:
- Public IPs
- IP ranges
- VNet/subnets
- Save settings
B. Configure Service Endpoints
- Go to VNet → Subnet
- Click Service endpoints
- Select Microsoft.Storage
- Add the subnet to Storage Firewall settings
C. Configure Private Endpoints
- Go to Storage Account
- Select Networking → Private Endpoint
- Create a new private endpoint
- Select:
- VNet
- Subnet
- Configure DNS (private DNS zone recommended)
10. Key Terms for the Exam
| Term | Meaning |
|---|---|
| Firewall rules | Control access by IP address |
| Service endpoints | Link VNet subnets to storage without private IP |
| Private endpoints | Provide a private IP access to storage |
| Public network access | Controls if storage can be accessed over Internet |
| Trusted Azure services | Automatic Microsoft services allowed through firewall |
| Private Link | Underlying service enabling private endpoints |
Final Summary (Easy to Remember)
- Azure Storage can be protected using firewalls, service endpoints, and private endpoints.
- Service endpoints improve security but still use public IPs.
- Private endpoints use private IPs and are the most secure method.
- Public network access can be restricted or fully disabled.
- Trusted Azure services may need access even when public access is restricted.
- For the AZ-104 exam, always choose private endpoints when highest security is required.
