Azure traffic to storage account

Hi Kidd,

Thanks for the response. This seems a much better solution and I assume this is the guideline for the implementation:

https://learn.microsoft.com/en-us/azure/architecture/networking/guide/cross-tenant-secure-access-private-endpoints

Thanks for suggesting this.

Having said that, do we know why traffic from cross tenants is being logged as 10.x.x.x in storage account? Or possibly why we can't see the public IP of the VM in the logs? IP filtering worked for me, is there any explanation why it worked? I assume the below text:

You can't use IP network rules to restrict access to clients in the same Azure region as the storage account. IP network rules have no effect on requests that originate from the same Azure region as the storage account. Use Virtual network rules to allow same-region requests.

From:

https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security-limitations#:~:text=You%20can%27t%20use%20IP%20network%20rules%20to%20restrict%20access%20to%20clients%20in%20the%20same%20Azure%20region%20as%20the%20storage%20account.%20IP%20network%20rules%20have%20no%20effect%20on%20requests%20that%20originate%20from%20the%20same%20Azure%20region%20as%20the%20storage%20account.%20Use%20Virtual%20network%20rules%20to%20allow%20same%2Dregion%20requests.

Only applicable when traffic comes within the same tenant and same region.

How about this:

• Use Virtual Network (VNet) Rules
  • Link the storage account to a VNet
  • Use Service Endpoints or Private Endpoints
  • This ensures traffic is controlled at the network level, not just IP level
• Use Private Endpoints for Cross-Tenant Access
  • You can set up a Private Endpoint in Tenant B that connects to the storage account in Tenant A
  • This gives you full control over access and visibility

I posted this question, and I am not sure how I can delete it from here to avoid duplication:
https://learn.microsoft.com/en-gb/answers/questions/5579562/filter-azure-traffic-to-storage-account