How to access Azure Storage via VPN? Private Endpoint? - azure-storage

I have VM in On-premise VMWare environment, Azure Virtual Network Gateway and Azure Storage.
I would like to access from Azure Storage Explorer in on-premise VM to Azure Storage via VPN without using public internet.
Is Private Endpoint of Storage and bastion of VNet the best practice?
Does it limit using public internet access to for other usage?
https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal

Microsoft Azure Storage Explorer is a standalone app. You could access storage resources through Azure RBAC and ensure the network is connected between the on-premises network and the Azure virtual network.
As far as I know, Storage Explorer uses HTTPS by default and there is no limit to use the public Internet, you can enable the private endpoint for your Storage Account and set up the VPN connection. You also need to assign your account to access the blob, table, or other service endpoints with enough permission.
For more information:
Azure Storage Explorer troubleshooting guide
Azure Storage Explorer security guide

Related

Connect to Azure SQL via Point to Site Azure VPN which is in another vNet

I have vNet1 (in south central US region) with Virtual network gateway configured with Point to Site VPN. Azure SQL has been deployed within the same vNet with private endpoint (all public access blocked.) i am able to access the Azure SQL via ssms via Azure VPN.
I have another Azure SQL with private endpoint (all public access blocked.) deployed in vNet2 (in north central US region), i just wanted to user can connect to Azure VPN in vnet1 and able to access the Azure SQL in vNet2 from their home location.
I am able to access the Azure SQL in vNet1 via VPN but unable to connect to Azure SQL in vNet2. I have configured vNet to vNet peering (along with gateway transit enable) but unable to access the Azure SQL in vNet2. also set up another Virtual network Gateway in vNet2 and set up vNet to vNet connection but still unable to access Azure SQL in vNet2.
is this possible to get connect to one vnet via vpn and able to access azure sql which is in another vnet?
any help will be highly appriciated.

Azure SQL Network Firewall & Private Endpoint

I have a requirement in my project to pipeline the data from Azure Storage to Azure SQL database. We are using Azure Data Factory (ADF) V2 to perform this pipelining work.
In order to have secure access to Azure SQL DB, I have configured the following properties first.
Deny public network access: No
Connection Policy: Default
Allow Azure services and resources to access this server: No
With the aforementioned settings, the firewall rules have been configured to whitelist a few Public IPs and Virtual Network subnets.
This setting works fine when I use a DB client like SSMS inside a Virtual Machine (part of the subnet already whitelisted). However, it doesn't work when I am trying to create the linked service from ADF. I don't want to turn on this feature "Allow Azure services and resources to access this server" due to security risk to allow ADF connect to the DB. Instead, I have created a Private Endpoint from ADF to SQL Database and approved it but still kept "Deny public network access" --> No.
With the above setup, I have entered into an issue. i.e. The VM which has been successfully connecting to the DB Server doesn't connect to the database server now after enabling Private Endpoint for ADF.
Question:
May I please check what's wrong with this setup? According to MS documentation,
When "Deny public network access" setting is No (default), customers can connect by using either public endpoints (with IP-based firewall rules or with virtual-network-based firewall rules) or private endpoints (by using Azure Private Link), as outlined in the network access overview.
https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings
I have configured Private Endpoint for ADF and VNet firewall for public endpoint access through DB client from a VM. But, only one works at time. To make VM client connect to the DB, I had to delete Private Endpoint of ADF whereas to make ADF work, I had to enable private endpoint which disables the DB connectivity from the VM.
Once you enable private end point for SQL then public network access stops working. Hence, that is the reason you are unable to connect from VM. Kindly consider using private end point to connect from your VM as well.
Now, Add both the (ADF and VM ) subnets to the SQL Server >> Firewalls & Networks >> Under the Add existing virtual Network
Create a private Endpoint in the Azure Data factory having the same subnet as the VM.
Hence, Could add the Azure SQL DB as a linked service in Azure Data Factory:
Here is my MyVNET where I have the created the Subnet(VM) and ADFSubnet which has been added to SQL DB existing Virtual networks via which it can be connected to the ADF or with the VM.
Hence, if you create 2 private endpoints for respective services in the same managed Virtual network you will be able to connect.

Azure SQL connect to Azure storage for selected network

I have created connectivity from Azure SQL to Azure storage .
Create master key
Created scoped CREDENTIAL
Created External data source
connecting azure storage when Azure storage when Azure firewall selected All networks . If I change Selected network (attached screen shot) then connectivity not working . Please note my IP address already whitelisted .
Any suggestion how I can enable firewall and access storage from Azure Sql
If you choose the selected networks for Storage firewall, you need to use the IP address to the control the access from client.
This operation is same with Azure SQL database firewall.
Please could add the client IP and click the Allow trusted Microsoft services to access this storage account:
HTH,

Azure ACI on Windows - How to access shared folder in container from on-premises and access Azure fileshare

i know that we can access azure file share from only the Linux Azure Container Instance. (not windows)
link here
So how can i access Azure file share from an Azure ACI of windows ?
Can i access a shared folder on Azure ACI container from on-premises windows machine ?Azure ACI has public IP address. So can we access like \IP Address\shareName ?
Please help
Q1. So how can I access Azure file share from an Azure ACI of windows ?
As you know, mounting an Azure Files share is currently restricted to Linux containers. So you cannot use this way to access the file share from the windows instance. I suggest you use the Azcopy to access the file share, in this way, you need to configure it yourself.
Q2. Can I access a shared folder on Azure ACI container from on-premises windows machine ?Azure ACI has public IP address. So can we access like \IP Address\shareName ?
For this question, you can configure the container instance as an NFS server, then you can access the NFS server in the way you knew before.

Connecting storage securely to Azure Data Lake Analytics or Data Factory

I am setting up a new Azure Data Lake Analytics (ADLA) PAAS service to run USQL against some existing data sets in blob storage. The blob storage is firewalled for security and when I try to add the storage account to the data sources in ADLA I get the following error. Similar happens for data factory.
InvalidArgument: The Storage account '' or its accessKey
is invalid.
If I disable the firewall, the storage account can be successfully added. I have tried to add the relevant Azure Data Center IP Address ranges but the connection still fails. I have also ticked the "Allow trusted Microsoft Services box" but this does not seem include data lake or data factory. How do I access my storage account from ADLA but still have it secured?
You could install a selfhosted IR to access your blob storage. Whitelist the IP of the machine hosting your selfhosted IR.