Posted in : Azure, Uncategorized By Tobias Vuorenmaa Translate with Google ⟶

2 years ago

If you have been working with Azure you might have stumbled across the reality that what can be done in the portal GUI and CLI / Powershell differs.  Especially when it comes to cross tenant functions.  I had a case where we wanted to allow access to a storage account from a specific subnet in a other tenant. This is simply not a easy task to do using the portal (read not possible).

The reason behind this is that far form all functions when working with cross tenant are supported in the portal, take virtual network peering, up until recently you had to use CLI / Powershell to establish peering cross-tenant. This is now possible to do using the portal.

Back to the Storage account and its settings.

storage_account_security

In the picture you can see that only the current tenants subscriptions is showing even though i have access to multiple tenants with guest access.

This leaves us now choice to allow access for another tenant network using the portal instead we can use az cli or powershell.

Its fairly straight forward and you have to specify the whole resource id in this format

/subscriptions/SUBSCRIPTION_ID/resourceGroups/RG_GROUP_NAME/providers/Microsoft.Network/virtualNetworks/VNET_NAME/subnets/SUBNET_NAME

And to actually add the network to our specific storage account i used az cli:

az storage account network-rule add -g RG_NAME –account-name SA_NAME –subnet SUBNET_ID

After that we simply verify that our rule have been added with:

az storage account network-rule list -g RG_NAME –account-name SA_NAME

storage_list_network_rule

Note – If service endpoints for the specific subnet and storage service is enabled you might face a error message simular to:

(NetworkAclsValidationFailure) Validation of network acls failure: SubnetsHaveNoServiceEndpointsConfigured:Subnets coresubnet of virtual network /subscriptions/XXXXXXXX-XXXX-XXXX-XXXXXXXXXXX/resourceGroups/azr-lab-VNet-rg/providers/Microsoft.Network/virtualNetworks/azr-lab-vNET do not have ServiceEndpoints for Microsoft.Storage resources configured. Add Microsoft.Storage to subnet’s ServiceEndpoints collection before trying to ACL Microsoft.Storage resources to these subnets..

More examples can be found here:

https://docs.microsoft.com/en-us/cli/azure/storage/account/network-rule?view=azure-cli-latest#az_storage_account_network_rule_add

Thats it, the CLI is a life saver sometimes.

Tags : Azure, AzureStorage, Network, Security, Storage

Personlig rådgivning

Vi erbjuder personlig rådgivning med författaren för 1400 SEK per timme. Anmäl ditt intresse i här så återkommer vi så snart vi kan.

Add comment

Your comment will be revised by the site if needed.

Mina favoritfunktioner i Teams

Back to all articles

Using Azure Resource Graph to find orphan resources

Xenit är ett tillväxtbolag med tjänster inom cloud och digital transformation. Våra engagerade specialister inspirerar, utmanar och vägleder företag och organisationer till molnet – alltid med affärsnytta och slutanvändarens frihet i fokus.

Integritetspolicy

Vulnerability Disclosure Policy

Visselblåsarportal

Kontakt

GÖTEBORG
Kungstorget 7
411 17 Göteborg
+46 (0) 10 707 35 00
info@xenit.se
Visa på karta

STOCKHOLM
Kungsgatan 5
111 43 Stockholm
+46 (0) 10 707 35 00
info@xenit.se
Visa på karta

Sidor

IT-tjänster
Kundcase
Karriär
Om Xenit
Nyheter
Tech blog
Kontakt

 

Support

För våra avtalskunder finns våra specialister redo. Ring oss på +46 (0) 10 707 35 80. 

Copyright © 2024 Xenit