Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure Storage Firewall Document need to be updated #120541

Closed
devaroqu opened this issue Mar 7, 2024 · 4 comments
Closed

Azure Storage Firewall Document need to be updated #120541

devaroqu opened this issue Mar 7, 2024 · 4 comments
Assignees
@normesta
Labels
assigned-to-author azure-storage/svc doc-enhancement Pri1 storage-common-concepts/subsvc triaged

Comments

@devaroqu
Copy link

devaroqu commented Mar 7, 2024

The following Section in the document needs to be updated https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#trusted-access-for-resources-registered-in-your-subscription

as it say:

Resources of some services that are registered in your subscription can access your storage account in the same subscription for selected operations, such as writing logs or running backups. The following table describes each service and the allowed operations.
to include that other subscription can access the storage account if they are in the same tenant when allow Azure Services in firewall setting are checked

I'm able to send Event Grid dead letter from storage account in my subscription to storage account in another subscription (same tenant) while firewall is enabled and only the Allow Azure services on the trusted services list to access this storage account is checked and the document does not mention that Azure trusted services can access storage account in another subscription under Same Tenant

this has been reported by customer and asked to be updated

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
@SaibabaBalapur-MSFT
Copy link
Contributor

SaibabaBalapur-MSFT commented Mar 7, 2024
edited
Loading

@devaroqu
I'm going to assign this to the document author so they can take a look at it accordingly.

@famemo-paasdev
Copy link

Checking if there is any update on this request?

@famemo-paasdev
Copy link

In addition to the above report discrepancy, the language in the caution note needs to be clear.

Caution

By design, access to a storage account from trusted services takes the highest precedence over other network access restrictions. If you set Public network access to Disabled after previously setting it to Enabled from selected virtual networks and IP addresses, any resource instances and exceptions that you previously configured, including Allow Azure services on the trusted services list to access this storage account, will remain in effect. As a result, those resources and services might still have access to the storage account.

The last statement needs update/correction. either it will have access or it won't. Why the "might"?

@normesta
Copy link
Contributor

Thank you! The docs have been updated. Yes any subscription in the same tenant is correct.

#please-close

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@normesta normesta

Labels
assigned-to-author azure-storage/svc doc-enhancement Pri1 storage-common-concepts/subsvc triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@normesta @famemo-paasdev @SaibabaBalapur-MSFT @devaroqu