Many Azure consulting services allow customers to leverage a bring-your-own-storage (BYOS) model to meet their security and business needs. For customers using Azure Storage as a BYOS system, we typically recommend that they use the same Azure region as AOS to ensure optimal performance.
The features include security controls which are often including firewall provisions for added security. That’s why we publish our known IP addresses to give you a familiar endpoint so we can work within the firewall settings you specify.
The challenge with this approach lies in the interface between these two solutions. The way Microsoft handles Azure traffic within the same region means that access from Azure consulting services to Azure Storage in the same region is routed through Azure’s internal IPs to improve performance. As a result, customers can not use IP-based firewalls with this configuration.
But there is also good news! Microsoft Azure’s Virtual Network (vNet) now has a feature that allows Azure Storage Firewall rules based on the endpoint’s vNet setup.
The VNet storage endpoint has been globally enabled for the following products:
- Cloud Backup: Customers who configure their own storage to store the backup data instead of using standard storage.
- Cloud Backup for Microsoft 365
- Cloud Backup for Dynamics 365
- Cloud Backup for Google Workspace
- Cloud Backup for Salesforce
- Classic Backup
- Cloud Archiver: Customers configuring custom storage. This includes Cloud Records customers using Cloud Archiver.
- Cloud Governance: Customers who have configured their own Azure Blob storage in Report Export Location.
- Azure consulting services for Partners: Partners using their own storage for Cloud Backup for Microsoft 365 and Cloud Backup for G-Suite when using the Start Service feature.
- Customers use “Report Data Collection” to save the audit logs in their own storage. This configuration typically works for Microsoft 365 policies, the Report Center feature in Cloud Management, and Cloud Insights.
The majority of customers will not be aware of this planned change. However, a very small number of customers may be affected. For example:
- You have registered with Azure consulting services in the East US data center and activated BYOS. If your storage is in the West US Azure region and you have enabled IP-based firewalls, this change affects you!
- You have registered with Azure consulting services at the East US data center and activated BYOS. If your storage is in the Central US Azure region and you have enabled IP-based firewalls, this change will NOT affect you!
The table below provides a list of factors that can help you determine if you are affected:
What’s next?
If you are affected (again, a small portion of customers) Azure Virtual Network (vNet) based firewall rules need to be added to your BYOS Azure Storage. Our support and customer success teams will be happy to work this out with you when you are ready, preferably shortly after our November release.
A quick summary for our customers using BYOS with Azure Storage who need to enable a firewall for their storage:
- If your Azure storage is in the same or a paired region of AOS, vNet-based firewall rules need to be added.
- To improve flexibility, it is recommended to also add IP-based firewall rules.
- If your Azure storage is in other Azure regions, you must add an IP-based firewall.
How Al Rafay Consulting can help you
Al Rafay Consulting has been working with Azure consulting for a long time and know how its features can be utilized for potential benefits. The change has been implemented which was completed in November 2021. Coordinated Universal Time (UTC).
To be more secure and up to date with Azure online features, you can contact Al Rafay Consulting (ARC). ARC has been very practically involved in providing Azure consulting services for a long period of time and can all the potential benefits from this online platform that suits your working style.
