Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow access from other Azure resources with public IP #10359

Closed
superminiek opened this issue Jun 18, 2018 · 9 comments

Comments

Projects
None yet
7 participants
@superminiek
Copy link

commented Jun 18, 2018

How to enable access to storage from different Azure item with public IP (VM) which is configured in different subscription and different account? I put public IP in "Firewall" but access is not working.


Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

@SaurabhSharma-MSFT

This comment has been minimized.

Copy link
Contributor

commented Jun 18, 2018

@superminiek Thanks for your feedback! We will investigate and update as appropriate.

@Adam-Smith-MSFT

This comment has been minimized.

Copy link
Member

commented Jun 19, 2018

@superminiek this answer from Gaurav breaks down the accessibility of Storage account from different subscriptions: https://stackoverflow.com/questions/31024894/accessing-azure-storage-services-from-a-different-subscription
Let me know if this helps.

@cbrooksmsft

This comment has been minimized.

Copy link
Contributor

commented Jun 19, 2018

Requests to storage are Source-NAT'ed so we do not see the public IP address of the VM.

You can use VNET rules across different subscriptions, as long as they are in subscriptions sharing the same Azure AD Tenant.

@NarayanAnnamalai , FYI

@NarayanAnnamalai

This comment has been minimized.

Copy link
Contributor

commented Jun 19, 2018

@zyrow123

This comment has been minimized.

Copy link

commented Jun 21, 2018

I've got the same issue. Adding a VM to a VNet and then attaching the VNet/subnet to the storage account fixes the issue.

However I can't find away to get it to work for requests coming from an App Service

@cbrooksmsft

This comment has been minimized.

Copy link
Contributor

commented Jun 21, 2018

you can use an App Service Environment to get App Service in a VNET.

https://docs.microsoft.com/en-us/azure/app-service/environment/intro#virtual-network-support

@superminiek

This comment has been minimized.

Copy link
Author

commented Jun 24, 2018

Regarding "Requests to storage are Source-NAT'ed so we do not see the public IP address of the VM." - after connecting to another VM I can see that IP (source) is correct, for storage - not so it seems that still it is not working properly or it is planned somehow. In which business cases ASF would be helpful here? I understand that I cannot use ASF for restrict access to File storage from VM.

@zyrow123

This comment has been minimized.

Copy link

commented Jun 25, 2018

Except the app service environment costs almost nearly as much on its own as our whole azure environment.

To me it does not make sense that Azure does not provide away to securely store files in the cloud. I get that a storage account is access secured, but ultimately it's accessible from anywhere on the internet. Which does make it vulnerable. Good luck passing a security audit from a financial institution. It has a password on it does not really provide confidence. 😔

@Adam-Smith-MSFT

This comment has been minimized.

Copy link
Member

commented Jul 13, 2018

@zyrow123 I'd highly recommend adding your feedback here: https://feedback.azure.com/forums/217313-networking , it will be examined by the product group.

Thanks,
Adam

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.