How to set network security group rules for azure storage services?

Question

I need to setup Network Security Group rules for my application so it can receive HTTPS requests from the Internet and write data into Table Storage and Azure SQL. Nothing else is allowed.

I know how to setup the HTTP inbound rule. But I could not figure out how to setup outbound rules for table storage and azure sql. Should I provide use ".table.core.windows.net" as value of DestinationAddressPrefix?

Answer 1

You cannot use network security rules for Azure Storage Services because:

• Azure Storage Services are not part, and cannot be part of (as of 2015-06-12) a Virtual Network.
• You cannot determine IP range for an Azure Storage Account, as the actual server serving particular request can change in any time and public IP address associated with your account can change at any time.
• DestinationAddressPrefix is a network IP Address in CDIR format and not DNS prefix / suffix

What you could, but only in theory, and I would not recommend that, is to add your Azure Data Centre IP Address ranges to the Network Security Group. This would be the closest to what you try to achieve. But as I said, I would not recommend it (as you have to constantly update it and still have failure when this list is not updated).

If your primary concern is that your service shall not communicate with on-premises (in case you use VPN), you can add explicit deny for you on-prem network.

If your concern is that your service could be target of various attacks, than you could use a proper Web Application Firewall, like Barracuda - https://www.barracuda.com/programs/azure/application-security

As for Azure SQL Database, you can only limit access to your Azure SQL Database to "All azure services", but not "only mine azure service". And currently (again, as of 2015-06-12) there is no other way around.