| title | description | services | documentationcenter | author | manager | editor | tags | ms.assetid | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Restrict data exfiltration to Azure Storage - Azure PowerShell |
In this article, you learn how to limit and restrict virtual network data exfiltration to Azure Storage resources with virtual network service endpoint policies using Azure PowerShell. |
virtual-network |
virtual-network |
RDhillon |
narayan |
azure-resource-manager |
virtual-network |
how-to |
na |
infrastructure-services |
02/03/2020 |
rdhillon |
devx-track-azurepowershell |
Manage data exfiltration to Azure Storage accounts with Virtual network service endpoint policies using Azure PowerShell
Virtual network service endpoint policies enable you to apply access control on Azure Storage accounts from within a virtual network over service endpoints. This is a key to securing your workloads, managing what storage accounts are allowed and where data exfiltration is allowed. In this article, you learn how to:
- Create a virtual network.
- Add a subnet and enable service endpoint for Azure Storage.
- Create two Azure Storage accounts and allow network access to it from the subnet created above.
- Create a service endpoint policy to allow access only to one of the storage accounts.
- Deploy a virtual machine (VM) to the subnet.
- Confirm access to the allowed storage account from the subnet.
- Confirm access is denied to the non-allowed storage account from the subnet.
[!INCLUDE updated-for-az]
If you don't have an Azure subscription, create a free account before you begin.
[!INCLUDE cloud-shell-try-it.md]
If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 1.0.0 or later. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you are running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.
Before creating a virtual network, you have to create a resource group for the virtual network, and all other resources created in this article. Create a resource group with New-AzResourceGroup. The following example creates a resource group named myResourceGroup:
New-AzResourceGroup `
-ResourceGroupName myResourceGroup `
-Location EastUS
Create a virtual network with New-AzVirtualNetwork. The following example creates a virtual network named myVirtualNetwork with the address prefix 10.0.0.0/16.
$virtualNetwork = New-AzVirtualNetwork `
-ResourceGroupName myResourceGroup `
-Location EastUS `
-Name myVirtualNetwork `
-AddressPrefix 10.0.0.0/16
Create a subnet in the virtual network. In this example, a subnet named Private is created with a service endpoint for Microsoft.Storage:
$subnetConfigPrivate = Add-AzVirtualNetworkSubnetConfig `
-Name Private `
-AddressPrefix 10.0.0.0/24 `
-VirtualNetwork $virtualNetwork `
-ServiceEndpoint Microsoft.Storage
$virtualNetwork | Set-AzVirtualNetwork
Create network security group security rules with New-AzNetworkSecurityRuleConfig. The following rule allows outbound access to the public IP addresses assigned to the Azure Storage service:
$rule1 = New-AzNetworkSecurityRuleConfig `
-Name Allow-Storage-All `
-Access Allow `
-DestinationAddressPrefix Storage `
-DestinationPortRange * `
-Direction Outbound `
-Priority 100 -Protocol * `
-SourceAddressPrefix VirtualNetwork `
-SourcePortRange *
The following rule denies access to all public IP addresses. The previous rule overrides this rule, due to its higher priority, which allows access to the public IP addresses of Azure Storage.
$rule2 = New-AzNetworkSecurityRuleConfig `
-Name Deny-Internet-All `
-Access Deny `
-DestinationAddressPrefix Internet `
-DestinationPortRange * `
-Direction Outbound `
-Priority 110 -Protocol * `
-SourceAddressPrefix VirtualNetwork `
-SourcePortRange *
The following rule allows Remote Desktop Protocol (RDP) traffic inbound to the subnet from anywhere. Remote desktop connections are allowed to the subnet, so that you can confirm network access to a resource in a later step.
$rule3 = New-AzNetworkSecurityRuleConfig `
-Name Allow-RDP-All `
-Access Allow `
-DestinationAddressPrefix VirtualNetwork `
-DestinationPortRange 3389 `
-Direction Inbound `
-Priority 120 `
-Protocol * `
-SourceAddressPrefix * `
-SourcePortRange *
Create a network security group with New-AzNetworkSecurityGroup. The following example creates a network security group named myNsgPrivate.
$nsg = New-AzNetworkSecurityGroup `
-ResourceGroupName myResourceGroup `
-Location EastUS `
-Name myNsgPrivate `
-SecurityRules $rule1,$rule2,$rule3
Associate the network security group to the Private subnet with Set-AzVirtualNetworkSubnetConfig and then write the subnet configuration to the virtual network. The following example associates the myNsgPrivate network security group to the Private subnet:
Set-AzVirtualNetworkSubnetConfig `
-VirtualNetwork $VirtualNetwork `
-Name Private `
-AddressPrefix 10.0.0.0/24 `
-ServiceEndpoint Microsoft.Storage `
-NetworkSecurityGroup $nsg
$virtualNetwork | Set-AzVirtualNetwork
The steps necessary to restrict network access to resources created through Azure services enabled for service endpoints varies across services. See the documentation for individual services for specific steps for each service. The remainder of this article includes steps to restrict network access for an Azure Storage account, as an example.
Create an Azure storage account with New-AzStorageAccount.
$storageAcctName1 = 'allowedaccount'
New-AzStorageAccount `
-Location EastUS `
-Name $storageAcctName1 `
-ResourceGroupName myResourceGroup `
-SkuName Standard_LRS `
-Kind StorageV2
After the storage account is created, retrieve the key for the storage account into a variable with Get-AzStorageAccountKey:
$storageAcctKey1 = (Get-AzStorageAccountKey -ResourceGroupName myResourceGroup -AccountName $storageAcctName1).Value[0]
The key is used to create a file share in a later step. Enter $storageAcctKey and note the value, as you'll also need to manually enter it in a later step when you map the file share to a drive in a VM.
Now repeat the above steps to create a second storage account.
$storageAcctName2 = 'notallowedaccount'
New-AzStorageAccount `
-Location EastUS `
-Name $storageAcctName2 `
-ResourceGroupName myResourceGroup `
-SkuName Standard_LRS `
-Kind StorageV2
Also retrieve the storage account key from this account for using later to create a file share.
$storageAcctKey2 = (Get-AzStorageAccountKey -ResourceGroupName myResourceGroup -AccountName $storageAcctName2).Value[0]
Create a context for your storage account and key with New-AzStorageContext. The context encapsulates the storage account name and account key:
$storageContext1 = New-AzStorageContext $storageAcctName1 $storageAcctKey1
$storageContext2 = New-AzStorageContext $storageAcctName2 $storageAcctKey2
Create a file share with New-AzStorageShare:
$share1 = New-AzStorageShare my-file-share -Context $storageContext1
$share2 = New-AzStorageShare my-file-share -Context $storageContext2
By default, storage accounts accept network connections from clients in any network. To limit access to selected networks, change the default action to Deny with Update-AzStorageAccountNetworkRuleSet. Once network access is denied, the storage account is not accessible from any network.
Update-AzStorageAccountNetworkRuleSet `
-ResourceGroupName myresourcegroup `
-Name $storageAcctName1 `
-DefaultAction Deny
Update-AzStorageAccountNetworkRuleSet `
-ResourceGroupName myresourcegroup `
-Name $storageAcctName2 `
-DefaultAction Deny
Retrieve the created virtual network with Get-AzVirtualNetwork and then retrieve the private subnet object into a variable with Get-AzVirtualNetworkSubnetConfig:
$privateSubnet = Get-AzVirtualNetwork `
-ResourceGroupName myResourceGroup `
-Name myVirtualNetwork `
| Get-AzVirtualNetworkSubnetConfig -Name Private
Allow network access to the storage account from the Private subnet with Add-AzStorageAccountNetworkRule.
Add-AzStorageAccountNetworkRule `
-ResourceGroupName myresourcegroup `
-Name $storageAcctName1 `
-VirtualNetworkResourceId $privateSubnet.Id
Add-AzStorageAccountNetworkRule `
-ResourceGroupName myresourcegroup `
-Name $storageAcctName2 `
-VirtualNetworkResourceId $privateSubnet.Id
To make sure the users in the virtual network can only access the Azure Storage accounts that are safe and allowed, you can create a Service endpoint policy with the list of allowed storage accounts in the definition. This policy is then applied to the virtual network subnet which is connected to storage via service endpoints.
This section creates the policy definition with the list of allowed resources for access over service endpoint
Retrieve the resource ID for the first (allowed) storage account
$resourceId = (Get-AzStorageAccount -ResourceGroupName myresourcegroup -Name $storageAcctName1).id
Create the policy definition to allow the above resource
$policyDefinition = New-AzServiceEndpointPolicyDefinition -Name mypolicydefinition `
-Description "Service Endpoint Policy Definition" `
-Service "Microsoft.Storage" `
-ServiceResource $resourceId
Create the service endpoint policy using the policy definition created above
$sepolicy = New-AzServiceEndpointPolicy -ResourceGroupName myresourcegroup `
-Name mysepolicy -Location EastUS
-ServiceEndpointPolicyDefinition $policyDefinition
After creating the service endpoint policy, you'll associate it with the target subnet with the service endpoint configuration for Azure Storage.
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $VirtualNetwork `
-Name Private `
-AddressPrefix 10.0.0.0/24 `
-NetworkSecurityGroup $nsg `
-ServiceEndpoint Microsoft.Storage `
-ServiceEndpointPolicy $sepolicy
$virtualNetwork | Set-AzVirtualNetwork
To test network access to a storage account, deploy a VM in the subnet.
Create a virtual machine in the Private subnet with New-AzVM. When running the command that follows, you are prompted for credentials. The values that you enter are configured as the user name and password for the VM. The -AsJob option creates the VM in the background, so that you can continue to the next step.
New-AzVm -ResourceGroupName myresourcegroup `
-Location "East US" `
-VirtualNetworkName myVirtualNetwork `
-SubnetName Private `
-Name "myVMPrivate" -AsJob
Output similar to the following example output is returned:
Id Name PSJobTypeName State HasMoreData Location Command
-- ---- ------------- ----- ----------- -------- -------
1 Long Running... AzureLongRun... Running True localhost New-AzVMUse Get-AzPublicIpAddress to return the public IP address of a VM. The following example returns the public IP address of the myVmPrivate VM:
Get-AzPublicIpAddress `
-Name myVmPrivate `
-ResourceGroupName myResourceGroup `
| Select IpAddress
Replace <publicIpAddress> in the following command, with the public IP address returned from the previous command, and then enter the following command:
mstsc /v:<publicIpAddress>A Remote Desktop Protocol (.rdp) file is created and downloaded to your computer. Open the downloaded rdp file. If prompted, select Connect. Enter the user name and password you specified when creating the VM. You may need to select More choices, then Use a different account, to specify the credentials you entered when you created the VM. Select OK. You may receive a certificate warning during the sign-in process. If you receive the warning, select Yes or Continue, to proceed with the connection.
On the myVmPrivate VM, map the Azure file share from allowed storage account to drive Z using PowerShell.
$acctKey = ConvertTo-SecureString -String $storageAcctKey1 -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList ("Azure\allowedaccount"), $acctKey
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\allowedaccount.file.core.windows.net\my-file-share" -Credential $credentialPowerShell returns output similar to the following example output:
Name Used (GB) Free (GB) Provider Root
---- --------- --------- -------- ----
Z FileSystem \\allowedaccount.file.core.windows.net\my-f...The Azure file share successfully mapped to the Z drive.
Close the remote desktop session to the myVmPrivate VM.
On the same myVmPrivate VM, attempt to map the Azure file share to drive X.
$acctKey = ConvertTo-SecureString -String $storageAcctKey1 -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList "Azure\notallowedaccount", $acctKey
New-PSDrive -Name X -PSProvider FileSystem -Root "\\notallowedaccount.file.core.windows.net\my-file-share" -Credential $credentialAccess to the share is denied, and you receive a New-PSDrive : Access is denied error. Access is denied because the storage account notallowedaccount is not in the allowed resources list in the service endpoint policy.
Close the remote desktop session to the myVmPublic VM.
When no longer needed, you can use Remove-AzResourceGroup to remove the resource group and all of the resources it contains:
Remove-AzResourceGroup -Name myResourceGroup -Force
In this article, you applied a service endpoint policy over an Azure virtual network service endpoint to Azure Storage. You created Azure Storage accounts and limited network access to only certain storage accounts (and thus denied others) from a virtual network subnet. To learn more about service endpoint policies, see Service endpoints policies overview.