Storage Network Access

This lesson explains how to control network access to Azure PaaS services using the service firewall, focusing on:

Azure Storage

It also clarifies how Service Endpoints and Private Endpoints interact with firewall rules.

1️⃣ Core Concept: PaaS Services Have Public Endpoints#

Azure PaaS services (Storage, SQL, App Service, etc.):

• Expose a public endpoint by default
• Are reachable over the internet unless restricted
• Include a built-in service firewall

Examples of services with firewall capability:

• Azure Storage
• Azure SQL Database
• Azure App Service

2️⃣ What Is the Service Firewall?#

The service firewall:

• Controls access to the public endpoint

Allows you to:

• Allow all networks
• Allow selected networks
• Disable public access completely

Important:

• ⚠ It only affects the public endpoint ⚠ It does NOT affect Private Endpoints

3️⃣ Firewall Access Modes#

Inside Storage → Networking → Public network access:

Option 1: Allow from All Networks#

Default setting

Publicly accessible (if authentication allows)

Option 2: Allow from Selected Networks#

Allows:

• Specific Virtual Networks (via Service Endpoints)
• Specific Public IP addresses
• Specific Resource Instances
• Trusted Microsoft Services

Option 3: Disable Public Access#

• Completely blocks public endpoint
• Only Private Endpoint access works
• This is the most secure configuration.

4️⃣ How Service Firewall Works with Service Endpoints#

Important exam concept:

Even though Service Endpoints use the Microsoft Backbone:

• ✔ They still use the public endpoint

Therefore:

• If firewall blocks public access, → Service Endpoints are also blocked (unless explicitly allowed in firewall rules).

To allow Service Endpoint access:

• Add the specific VNet/subnet to firewall exceptions.

5️⃣ Private Endpoint Interaction#

Private Endpoint:

• Does NOT use public endpoint
• Uses private IP inside VNet
• Bypasses service firewall

Therefore:

If you:

• Disable public access completely
• Private Endpoint will still work.
• This enables zero-trust architecture.

6️⃣ Demonstration Summary#

Steps performed:

• Created storage account
• Created private container
• Uploaded blob
• Observed public URL behavior
• Enabled anonymous blob access
• Verified public access worked
• Disabled public network access
• Verified public endpoint blocked
• Confirmed only private endpoint works

This demonstrated:

• Difference between anonymous access
• Service firewall restrictions
• Public endpoint behavior

7️⃣ Anonymous Blob Access vs Firewall#

Two different controls:

A. Allow Blob Anonymous Access#

• (Storage Account → Configuration)

Controls:

• Whether blobs can be accessed anonymously

B. Container Access Level#

• Private (no anonymous)
• Blob (read-only anonymous for blobs)
• Container (anonymous list + read)

C. Service Firewall#

Controls:

• Network-level access
• Public endpoint exposure
• Even if anonymous access is allowed, Firewall can still block it.

8️⃣ Resource Instance Exceptions#

You can allow specific Azure resources:

Example:

• Allow a specific Azure SQL Server
• Allow specific App Service instance

This enables:

• Granular PaaS-to-PaaS communication

9️⃣ Trusted Microsoft Services#

• Option: Allow trusted Azure services

Examples:

• Azure Backup
• Azure Monitor
• Azure Site Recovery
• Azure Data Box
• This allows Azure internal services to access storage.
• Be careful: Trusted services may be broader than expected.

🔟 Architecture-Level Understanding#

Without restrictions:

• Internet → Storage Public Endpoint → Allowed

With firewall restrictions:

• Internet → Blocked
• VNet via Service Endpoint → Allowed (if configured)
• Private Endpoint → Always allowed (if configured)

11️⃣ Best Practice Security Model#

For high-security production:

• Create Private Endpoint
• Disable public network access
• Disable anonymous access
• Use RBAC + Azure AD authentication

This provides:

• ✔ No public exposure ✔ Private IP-only access ✔ Hybrid connectivity ✔ Least privilege

12️⃣ Comparison: Service Endpoint vs Private Endpoint (With Firewall)#

Exam trap: Service Endpoints still depend on public endpoint.

13️⃣ Common Exam Questions#

• Q: Does firewall affect Service Endpoints? → Yes.
• Q: Does firewall affect Private Endpoints? → No.
• Q: How to completely remove public exposure? → Disable public network access.
• Q: Anonymous access allowed but firewall enabled? → Still blocked unless allowed by firewall.

14️⃣ Troubleshooting Checklist#

If access fails:

• Check firewall setting
• Verify Service Endpoint exception added
• Confirm VNet/subnet correct
• Validate Private Endpoint DNS resolution
• Confirm anonymous access settings
• Review NSGs

15️⃣ Deep Security Insight#

The service firewall acts as:

• Network-level gatekeeper For the public endpoint only

It complements:

• RBAC
• Azure AD authentication
• Storage account keys
• SAS tokens

Security layering:

• Identity + Network + Encryption + Access control

16️⃣ Reference Documentation#

• Storage Firewall
• Storage Anonymous Access
• Private Endpoint for Storage
• Service Endpoints
• Trusted Azure Services

Final Exam Memory Hooks#

Service Firewall = Controls public endpoint Service Endpoint = Uses public endpoint Private Endpoint = Bypasses public endpoint Disable public access = Private only

Ultimate Summary#

Storage Network Access involves:

• Public endpoint control via service firewall
• VNet integration via Service Endpoints
• True isolation via Private Endpoints
• Anonymous access controls
• Granular exception rules
• Understanding how these layers interact is critical for Azure networking exams.

If you'd like, I can now create:

• 🧠 40 scenario-based exam questions
• 📊 Full comparison sheet (Firewall vs Service Endpoint vs Private Endpoint)
• 🏗 Secure enterprise architecture example
• 📄 One-page cram sheet for AZ-104 / AZ-700
• Tell me which exam you're targeting.