Forum Discussion
Azure network security perimeter with storage accounts and Runbooks
I know this is a preview feature, and I don't know if it will be fixed in the future. The problem arises when you try to secure traffic between Azure serverless runbooks and a storage account. No m...
Yes, below the current limitations and workarounds:
Current Limitation
- Azure serverless runbooks access storage accounts using internal private IPs (e.g., 10.x.x.x), which are not supported by storage account firewall rules.
- Even with the Azure network security perimeter feature, private IPs from Azure's internal infrastructure cannot be used to enforce firewall rules.
Workarounds
- Private Endpoints: Assign a private endpoint to your storage account. This allows traffic to flow securely within your virtual network and bypasses the need for public IPs.
- Trusted Microsoft Services: Enable the "Allow trusted Microsoft services" option in the storage account firewall settings. This allows Azure Automation (including serverless runbooks) to access the storage account without specific IP rules.
- Hybrid Workers: While not ideal for serverless scenarios, hybrid workers can provide a public IP for accessing the storage account. This is a workaround but compromises the serverless nature of runbooks.