SOLVED

Access Blob via S2S VPN

%3CLINGO-SUB%20id%3D%22lingo-sub-2596029%22%20slang%3D%22en-US%22%3EAccess%20Blob%20via%20S2S%20VPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2596029%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20an%20on-prem%20backup%20solution%2C%20and%20we%20want%20to%20leverage%20Azure%20Blob%20storage%20to%20store%20the%20backups.%20We%20would%20like%20all%20data%20to%20only%20traverse%20our%20site-to-site%20VPN%20into%20Azure%2C%20therefore%20we%20don't%20want%20the%20Blob%20exposed%20to%20the%20internet%20at%20all.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20someone%20please%20advise%20how%20we%20can%20secure%20the%20traffic%20flow%2C%20so%20that%20the%20backups%20only%20flow%3A%3C%2FP%3E%3CP%3EOn-Prem%20--%26gt%3B%20S2S%20VPN%20--%26gt%3B%20Blob.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20anyone%20could%20help%20that%20would%20be%20fantastic!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2597832%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Blob%20via%20S2S%20VPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2597832%22%20slang%3D%22en-US%22%3EJust%20to%20add%20on%20top%20of%20what%20Ibrahima%20said%3A%20For%20VPN%20access%20to%20Azure%2C%20using%20Private%20Endpoint%20is%20the%20only%20way%20to%20connect%20over%20that%20tunnel.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20could%20theoretically%20continue%20using%20a%20public%20endpoint%20of%20your%20Blob%20account%20and%20limit%20access%20from%20your%20office%20network%20(in%20the%20storage%20account%20firewall)%2C%20but%20the%20traffic%20wouldn't%20go%20over%20that%20VPN%20tunnel%20(you%20have%20as%20a%20requirement).%20The%20last%20theoretical%20option%20is%20using%20Service%20Endpoint%2C%20but%20that%20one%20doesn't%20work%20from%20outside%20of%20Azure.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20wrote%20a%20blog%20post%20some%20time%20ago%20that%20explain%20data%20transfers%20from%20on-prem%20using%20this%20pattern.%20It's%20written%20for%20Express%20Route%2C%20but%20it's%20very%20similar%20for%20VPN%20as%20well%3A%20%3CA%20href%3D%22https%3A%2F%2Fdev.to%2Fpazdedav%2Fusing-azure-express-route-for-online-data-transfers-4i9e%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdev.to%2Fpazdedav%2Fusing-azure-express-route-for-online-data-transfers-4i9e%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2596832%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Blob%20via%20S2S%20VPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2596832%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1116351%22%20target%3D%22_blank%22%3E%40tasdeep%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20use%20private%20endpoint%20for%20the%20blob%20so%20it%20will%20be%20no%20longer%20accessible%20from%20the%20internet%20.%26nbsp%3B%3C%2FP%3E%3CP%3EBenefits%20%3A%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3ESecure%20your%20storage%20account%20by%20configuring%20the%20storage%20firewall%20to%20block%20all%20connections%20on%20the%20public%20endpoint%20for%20the%20storage%20service.%3C%2FLI%3E%3CLI%3EIncrease%20security%20for%20the%20virtual%20network%20(VNet)%2C%20by%20enabling%20you%20to%20block%20exfiltration%20of%20data%20from%20the%20VNet.%3C%2FLI%3E%3CLI%3ESecurely%20connect%20to%20storage%20accounts%20from%20on-premises%20networks%20that%20connect%20to%20the%20VNet%20using%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvpn-gateway%2Fvpn-gateway-about-vpngateways%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EVPN%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eor%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fexpressroute%2Fexpressroute-locations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EExpressRoutes%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ewith%20private-peering.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EBut%20you%20need%20to%20configure%20dns%20resolution%20to%20be%20able%20to%20join%20it%20through%20VPN%20.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20means%20you%20should%20ensure%20that%20%3A%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20You%20have%20a%20dedicated%20subnet%20for%20the%20private%20endpoint%26nbsp%3B%3C%2FP%3E%3CP%3E-%20This%20subnet%20reside%20in%20a%20Vnet%20accessible%20through%20VPN%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E-%20This%20vnet%20have%20a%20custom%20dns%26nbsp%3B%20(dns%20forwarder%20)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fcommon%2Fstorage-private-endpoints%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUse%20private%20endpoints%20-%20Azure%20Storage%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

 

We have an on-prem backup solution, and we want to leverage Azure Blob storage to store the backups. We would like all data to only traverse our site-to-site VPN into Azure, therefore we don't want the Blob exposed to the internet at all.

 

Can someone please advise how we can secure the traffic flow, so that the backups only flow:

On-Prem --> S2S VPN --> Blob.

 

If anyone could help that would be fantastic!

2 Replies
best response confirmed by tasdeep (New Contributor)
Solution

@tasdeep 

 

You can use private endpoint for the blob so it will be no longer accessible from the internet . 

Benefits :  

  • Secure your storage account by configuring the storage firewall to block all connections on the public endpoint for the storage service.
  • Increase security for the virtual network (VNet), by enabling you to block exfiltration of data from the VNet.
  • Securely connect to storage accounts from on-premises networks that connect to the VNet using VPN or ExpressRoutes with private-peering.

But you need to configure dns resolution to be able to join it through VPN .  

It means you should ensure that :  

 

- You have a dedicated subnet for the private endpoint 

- This subnet reside in a Vnet accessible through VPN  

- This vnet have a custom dns  (dns forwarder )

 

 

Use private endpoints - Azure Storage | Microsoft Docs

Just to add on top of what Ibrahima said: For VPN access to Azure, using Private Endpoint is the only way to connect over that tunnel.

You could theoretically continue using a public endpoint of your Blob account and limit access from your office network (in the storage account firewall), but the traffic wouldn't go over that VPN tunnel (you have as a requirement). The last theoretical option is using Service Endpoint, but that one doesn't work from outside of Azure.

I wrote a blog post some time ago that explain data transfers from on-prem using this pattern. It's written for Express Route, but it's very similar for VPN as well: https://dev.to/pazdedav/using-azure-express-route-for-online-data-transfers-4i9e