This is a generalised version of what I posted on stack StackOverflow.
I have a number of storage accounts in Azure - the "new" ARM deployment model. I also have a number of old classic resources (VMs and Cloud Services) - using "old" ASM model. There are reasons why these cannot be migrated to ARM at this time - the question is not about migration.
I am trying to configure the storage accounts to allow connections from only specified resources. I added our external on-prem addresses and I added virtual networks and subnets for other "new" ARM resources (VM, etc.) However I'm struggling to allow classic resources to access the storage account.
I tried adding the external IP address of a classic resource - this didn't help, most likely, because internally within Azure (and these resources are within the same region) traffic is routed using some internal networks. Note that I tried using both Microsoft routing and Internet routing - the result is exactly the same.
I tried adding these classic resources to a classic virtual network - but classic vnets are not even listed in the storage account configuration to select as an allowed private vnet.
As a result, the only option I have is to set "allow access from all networks", which isn't particularly secure.
Is there any way to restrict access to the storage account by networks/IP addresses and allow access from classic resources at the same time?
