Score:1

Isolating the data and management planes on Azure Storage Accounts

br flag

Azure Storage Accounts can have their access restricted by IP address or an Azure virtual network (with a Microsoft.Storage service endpoint). When this is done, the storage resource will only accept connections from those designated origins. This covers data operations (read, write, etc.) and control operations (create new container, etc.); I'm calling these the "data" and "management" planes, respectively.

Is it possible to isolate these at a networking level (e.g., with a firewall), or can it only be done at a role level? For example, could I have a VM on the same network that can only do control operations, regardless of the roles of the principal?

Score:1
ng flag

The operations for Azure storage are split as you say, data and management. The data piece is through the storage API's where as the management goes through the Azure Resource Manager API's, which are the management API's used for all services.

Storage accounts have the concept of a firewall, where you can restrict what IP's can access the storage account, this covers the data side of things. If you blocked someone using this firewall then they will still be able to make management requests to ARM (assuming they have the rights).

Blocking access to ARM for the management side is much harder, and you are better looking at using permissions for this.

Xophmeister avatar
br flag
Thanks :) When running Terraform from my local machine, I was seeing rather that both data *and* management access were blocked when my storage is given network rules (see [here](https://stackoverflow.com/questions/71022815/creating-azure-storage-containers-in-a-storage-account-with-network-rules-with)). I've got around this by building management infrastructure, which is allowed to connect to the storage. What I want to avoid, however, is being able to make data requests from that management infrastructure. (Forgive any lack of understanding on my part! Azure it quite new to me.)
ng flag
Ok this is a bit tricky. The ability to create a container in a storage account is actually a data plane operation (it probably shouldn't be, but it is), so if you need Terraform to create the container, then it will need access through the firewall. If you were just creating the storage account alone, you would not need to grant this level of access. That means that the management infrastructure will have access to the data plane.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.