Securing your network access to Azure Storage Container(BLOB) with NetFoundry

MS Azure Storage BLOB is a flagship PaaS service offered by Azure Cloud.  To connect with this service and other services like CosmosDB and others you  had  2 options:

(1) a public container which is exposed to the public internet

(2) a complex private networking solution with Azure Express Route or Virtual Private Network(VPN). 

Microsoft Azure recently released Azure Private Link with Virtual Net private endpoints allowing you to build connectivity between your Vnet and PaaS services like Azure Storage and CosmosDB – which was only accessible externally via a dedicated network solution like MPLS based Azure Express Route. A Private Endpoint is a special network interface for an Azure service in your Virtual Network (VNet). When you create a private endpoint for your storage account, it provides secure connectivity between clients on your VNet and your storage. The private endpoint is assigned an IP address from the IP address range of your VNet. The connection between the private endpoint and the storage service uses a secure private link.

With NetFoundry, you can extend this private Vnet connection for private endpoint BLOB containers over the Internet –  this includes Zero Trust, least privileged access security for your users, admins, branch offices, private data centers and public clouds.

This Guide will take you through a sample configuration with the following assumptions:

  1. Active Azure subscription.
    1. Established Resource Group
    2. Established Virtual Network 
  2. Active NetFoundry account with Console access.
    • Established NetFoundry network
    • Established NetFoundry Client or Gateway endpoint.

________________________________________________________________________________________________________________

 

Solution Overview - Microsoft Azure

storage-private-endpoints-overview.jpg

Solution Overview - NetFoundry

Blob_overview.jpg

Solution Overview - Steps (NetFoundry and Azure Portal)

1. Login to the NetFoundry console and create an Azure Cloud Gateway in the desired region. (logical placement is same region as the Azure Resource Group, BLOB and Azure Virtual Network.)

 

create_azure_gw1.jpg

 

create_azure_gw2.jpg

 

create_azure_gw3.jpg

create_azure_gw4.jpg

NOTE: Keep Reg Key screen above active for later copy during registration. 

 

2. In the Azure Portal, deploy a NetFoundry Application Connection Gateway into the desired Resource Group & VNET in Azure. This will act as a transit gateway for ingress into your Azure VNET and target Storage Container(BLOB).

 

deployazure1.jpg

 

deployazure2.jpg

 

3. When the Virtual Machine build has completed, register the created Gateway with NetFoundry Orchestration platform. The following document outlines this procedure.

https://support.netfoundry.io/hc/en-us/articles/360016343171-Launch-a-NetFoundry-Gateway-in-Azure-Cloud

 

4. Create Storage account with BLOB resource in Azure portal. Include Private Endpoint during creation.  Create Private Endpoint during networking configuration & accept defaults on advanced configuration.

Note: Note the Private VNET IP address in portal upon completion.

 

createstorage1.jpg

 

createstorage3.jpg

 

createstorage2.jpg

 

createprivateendpoint.jpg

 

5. Grant permission to Storage Account. Add desired IAM account as Owner resource for this resource only or other as required. From Storage Account pane >> Click Access Control(IAM) >> Click Role Assignments and Add desired users or App Registrations(API) as Owner and hit Save.

 

iam1.jpg

 

iam2.jpg

 

6. Add VNET address from associated VNET to Firewalls and Virtual Networks configuration. This will allow only this network to access private endpoint. You may add others as desired. You may also add a foreign Public IP for management use case. e.g. NAT address from Office/Home Network. From Storage Account context pane >> Click Firewalls and Virtual Networks.

 

firewall.jpg

 

7. Add Container to Storage Account. Use Container permissions. From Storage Account context pane....Select Container >> + Container >> Select Container Access level and click OK.

 

createcontainer1.jpg

 

createcontainer2.jpg

 

createcontainer3.jpg

 

 

 

8. Upload a file of any type to Container for testing. From Containers context pane select upload.

 

upload.jpg

 

9. Return to NetFoundry Console and Create IP Host Service for Private Endpoint in Azure. Specify Private Endpoint IP Address and port tcp/443. From the NetFoundry Console Dashboard...Select the Green Globe in upper left corner >> Select Manage AppWANs >> Select Manage Services tab >>> Hit + in upper right corner to add service >>> Select IP Host service. Populate name, select Gateway from drop-down list created in Step 1 above, provide IP address of Storage Private Endpoint in Azure and populate port 443/tcp and hit Create.

 

service1.jpg

 

service2.jpg

 

 

10. Create AppWAN which includes the Private Endpoint Service(created above) and any desired Clients and/or Gateways you wish to grant access. 

 

appwan1.jpg

 

 

appwan3.jpg

 

appwan4.jpg

 

11. Production systems will likely have DNS integration which is not outlined in this Guide. You can use private DNS integration with Azure or use an On-Prem private DNS solution. You may also use a "Host file" to specify the private end point for test. https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview#dns-configuration

  • Windows: C:\Windows\System32\drivers\etc\Host
  • Linux: /etc/hosts

 

12. Test connectivity to Storage Account from any NetFoundry or Host Client or Gateway Client. You can use any method you desire to test the connectivity. This guide uses wget as an easy method to retrieve files from the Cloud. Download wget for Windows or Linux. In the Azure portal, from the Container pane, click on the desired BLOB and record(COPY) the URI for resource. From the CLI, issue  the following command to retrieve BLOB from Azure Cloud.

wget -o filename.any https://samplestorageaccount.blob.core.windows.net/yourcontainer/filename.any

 

 

Was this article helpful?
0 out of 3 found this helpful

Comments

0 comments

Article is closed for comments.