Hello
Similar issue I had with SQL (microsoft-azure-f75/sql-managed-instanc ... 02018.html).
#07984906
I want to restrict access to my Azure files / storage accounts with IP restrictions. But this is not supported.
Support also tells me that I cannot get a list of IP that I can whitelist.
So the only option to protect my files is to allow the entire internet to have access to my files? (of course it's protected by credentials.. But it would be great if I could protect it on a network level)
Is there also, like with the SQL backup, no way I can get a list of IPs that Veeam uses?
Thanks.
-
tm67
- Service Provider
- Posts: 153
- Liked: 49 times
- Joined: Feb 21, 2023 4:44 pm
- Full Name: Timo Marfurt
- Contact:
-
nielsengelen
- Product Manager
- Posts: 6276
- Liked: 1315 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: Azure files backup network restrictions
Hi Timo,
As mentioned in the other post, I'll see if we can come up with a solution.
As mentioned in the other post, I'll see if we can come up with a solution.
GitHub: https://github.com/nielsengelen
-
tm67
- Service Provider
- Posts: 153
- Liked: 49 times
- Joined: Feb 21, 2023 4:44 pm
- Full Name: Timo Marfurt
- Contact:
Re: Azure files backup network restrictions
Hi Niels, I have tested some things.
I have created a new storage account with one fileshare with the setting "Public network access scope: Enable from selected networks"
VDC does not find the fileshare (this is excepted)
Now I have added 0.0.0.0/0 as an IP that can access the storage account
After a rescan on VDC Azure Files, the fileshare shows up and the snapshot works.
I have also enabled diagnostics (storage account --> Monitoring --> Diagnostic settings --> file --> enable (logs: audit,allLogs,Transaction -> send to log analytics workspace))
Now in the log analytics workspace, in the table "StorageFileLogs", I can see the access from VDC. The "CallerIPAddress" is 10.191.228.6 (which is not a public IP..?)
I am not sure how to understand that this is not a public IP since there is no private endpoint on this storage account.
Maybe something about internal azure routing?
I have also played a bit with different settings like "allow trusted Microsoft services to access this resource" and "network routing --> Routing preference: Internet routing". But I have not seen any differences in the "CallerIPAddress"
I also wanted to try to add this IP 10.191.228.6 to the allowed IP list, but this is not supported (https://learn.microsoft.com/en-us/azure ... work-rules)
Not sure if you have similar results or if this is not relevant Information. I just thought maybe you have some information about how VDC connects to Azure Files.
Timo
I have created a new storage account with one fileshare with the setting "Public network access scope: Enable from selected networks"
VDC does not find the fileshare (this is excepted)
Now I have added 0.0.0.0/0 as an IP that can access the storage account
After a rescan on VDC Azure Files, the fileshare shows up and the snapshot works.
I have also enabled diagnostics (storage account --> Monitoring --> Diagnostic settings --> file --> enable (logs: audit,allLogs,Transaction -> send to log analytics workspace))
Now in the log analytics workspace, in the table "StorageFileLogs", I can see the access from VDC. The "CallerIPAddress" is 10.191.228.6 (which is not a public IP..?)
I am not sure how to understand that this is not a public IP since there is no private endpoint on this storage account.
Maybe something about internal azure routing?
I have also played a bit with different settings like "allow trusted Microsoft services to access this resource" and "network routing --> Routing preference: Internet routing". But I have not seen any differences in the "CallerIPAddress"
I also wanted to try to add this IP 10.191.228.6 to the allowed IP list, but this is not supported (https://learn.microsoft.com/en-us/azure ... work-rules)
Not sure if you have similar results or if this is not relevant Information. I just thought maybe you have some information about how VDC connects to Azure Files.
Timo
Who is online
Users browsing this forum: No registered users and 1 guest