Using Azure Portal, we can easily manage virtual networks and firewall settings in any given Azure Storage Account, and we have a brief overview of the steps required to configure in the following section of this article. However, our focus will be creating a Runbook using Azure Automation to configure all Storage Accounts in any given subscription. All Storage Accounts will be set to use all existing virtual networks on their security, as well as static public IPs.

The idea behind the automation is to show how you could enforce compliance using your business requirements in this area.

Checking the firewall and virtual network feature using Azure Portal
Logged on the Azure Portal, select the desired Storage Account, click on Firewalls and virtual networks. In the new blade that opens up on the right side, we can turn it on by selecting Selected networks and then add new or existent virtual networks to the Storage Account. On the firewall section, add the IP addresses (all of them must be public) that can access this Storage Account.

Although it is not a requirement, because we can enable it automatically from the Storage Account side, we can always configure the desired virtual network to support service endpoints by adding it and selecting the subnets that will be supported.

When adding a new virtual network in any given Storage Account, we can see if the subnets will be configured. When the information service endpoint required is shown, then the process of adding that specific subnet will set it on the virtual network side as well.

Using a script
The first step is to create a simple JSON file containing two pieces of information: IPAddressorRange and Action. We are going to save that JSON file in a Storage Account that we are going to use a repository of our Azure Automation.

In the Azure Runbook, we will create a SAS Token to access the Storage Account for one hour. Then, we are going to download the PublicIPs.json file to the machine that is running the Azure Automation Runbook.

At the beginning of the script, we will load all the Public IPs required and define the endpoint by defining these two first lines of code. After that, we store all the virtual network in the same geopolitical region (in our case, Canada is comprised of Canada Central and Canada East) in the $VNETs variable.

The next piece of code is to loop through the virtual networks, find their subnets, and configure them to support Azure Storage endpoints.

Now that all the virtual networks are supporting Storage Accounts endpoints, our first stage is going to store all Storage Accounts in a variable called $StorageAccounts. We are going to look for all storage accounts in our geopolitical region, the Storage Account supporting the Azure Automation, and any Storage Account being used by the system (if a storage account contains ms-resource-usage tag we are going to skip it).

The script is comprised of two stages. In the first one we are going to enable the firewall and configure all IP addresses that we are gathering from the JSON file. The code also checks to see if there are invalid entries in the JSON files and clean up unused entries.

Managing your Azure firewalls and virtual networks: Tweaking and tags
In this article, we went through the process of managing Azure firewalls and virtual networks in a Storage Account and how to use Azure Automation to enforce security in an entire subscription. Based on your environment, you may want to tweak which virtual networks or Storage Accounts will have their security configured by the script. We can do that efficiently managing the query in the Storage Account and virtual network variables. Bear in mind that tags are your friend when automating stuff. You may even create a logic to read a tag of a Storage Account to identify which virtual network could be associated.

Website of Vietnam Union of Science and Technology Associations
License number: 169 / GP-TTĐT, dated October 31, 2012
Head of Editorial Department: DANG VU
The Vietnam Union system was founded with 15 members. Currently, that number has risen to 148, including 86 national industry associations and 63 local associations. In addition, in the system of the Vietnam Union, there are more than 500 scientific and technological research units established under Decree 81 (now Decree 08); over 200 newspapers, magazines, electronic newspapers, newsletters, specialties, electronic news sites.

Contact Us


Address: 77 Nguyen Du - Hanoi - Vietnam. - Email: [email protected] Phone: 04.3.9432207
Copyright © 2014 - SDC. All rights reserved