Azure private endpoints and ACL
I have this setup:
- a storage account
- a webapp
- a VNET with two subnets
- a private link
The private link is in subnet A, and the webapp is delegated to subnet B. I have a the private link assigned to the storage account
This is actually working. I can see that the IP is from the subnet A range, when doing nameresolving
And I can perfectly request data from the storage account.
Now i want to cut of the public traffic. The only way i do this, as i see it, is to disallow traffic from all networks
But now i can't request data from my storage account. The nameresolving is still working fine, and the internal IP does get resolved.
I am most certainly doing this wrong. How can i deny traffic from public endpoint, and only allow traffic from my internal IP?
A workaround, as I see it, is to add the subnet B på the allowed network list. If i do this, a storage service endpoint is being added to the subnet, the nameresolving is still resolving the internal IP, and i can get data.
Is this workaround, the only, and proper way of doing this?
Currently, yes. Although the web app will communicate to the storage account via the private endpoint, this specific configuration still requires the storage account to have public access (not sure if you can firewall the entire public IP range and it’ll still work).
My apologies. I’ve deployed this configuration before into a test environment and found the MS docs that say it’s not possible at this point in time but cannot find the link now.