Azure 存储网络安全组

Question

I want to add an Azure storage account to a VNet / Network Security Group but keep receiving an Authorisation Failure message.

The error was: 'code: AuthorizationFailure content: _CYCLIC_OBJECT_ message: This request is not authorized to perform this operation.

I've added the VNet to the storage account with the Microsoft.Storage service endpoint and the subnets have been associated with the NSG.

I've created an inbound rule for the IP addresses and an outbound rule using the storage service tag on the NSG.

I've even tried it with an all internet inbound rule but no joy.

If I whitelist the IP address in the Firewall and Virtual Network settings on the storage account then it works fine.

Is there something that I'm missing?

Answer 1

In your comment, you want to manage the firewall rule of storage account via associated it with a VNet and NSG. This's not in the right direction.

You can not use network security rules for Azure Storage Services because the storage account can not be inside a VNet or a part of a VNet and the NSG works at the IP address, port, protocol level. For more information, you could refer to this answer .

In addition, if you have added selected VNets in the Firewall and Virtual Network settings on the storage account, it grants access storage account from a virtual network. So only selected VNet could access your storage account. It will appear access deny from your corporate network if you don't add its external IP address in the firewall.

You may want to create Private Endpoints for your storage account , which assigns a private IP address from your VNet to the storage account, and secures all traffic between your VNet and the storage account over a private link. With this, You can also use the firewall to block all access through the public endpoint when using private endpoints. Please note that currently, you can't configure NSG rules and user-defined routes for private endpoints.