Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Private Endpoint in Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: StorageAccounts-023

Ensure that private endpoints are configured for Microsoft Azure Storage accounts in order to allow clients and services to securely access data located over a network via an encrypted Private Link connection.

This rule can help you with the following compliance standards:

  • CISAZUREF

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Securing traffic between services through encryption protects your data from interception methods such as eavesdropping and Man-in-the-Middle (MITM) attacks. To protect against these types of attacks, ensure that your Azure Storage accounts are configured to use private endpoints. A private endpoint in Azure cloud is a secure network interface that enables private access to Azure cloud services such as Azure Storage, Azure SQL Database, or Azure App Service from within a Virtual Network (VNet), using private IP addresses. It allows you to connect to Azure services without exposing them to the Internet, enhancing security and network isolation.


Audit

To determine if private endpoints are used to access your Microsoft Azure Storage accounts, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Storage blade at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to examine from the Subscription filter box and choose Apply.

04 Click on the name (link) of the Azure Storage account that you want to examine.

05 In the blade navigation panel, under Security + networking, choose Networking to access the networking settings available for the selected storage account.

06 Choose the Private endpoint connections tab and check for a approved private endpoint connection configured for each Virtual Network (VNet) associated with the selected storage account. An approved private endpoint connection is a private endpoint with the Connection State set to Approved. If there are no approved private endpoint connections available for the storage account, the selected Microsoft Azure Storage account is not using private endpoints for secure access.

07 Repeat steps no. 4 – 6 for each storage account available within the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage account list command (Windows/macOS/Linux) with custom query filters to describe the identifier of each storage account available in the selected Azure subscription:

az storage account list 
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
  --query '[*].name'

02 The command output should return the requested resource identifiers (names):

[
	"mediastorageaccount",
	"prodstorageaccount",
	"project5storageaccount"
]

03 Run storage account show command (Windows/macOS/Linux) using the name of the Azure Storage account that you want to examine as the identifier parameter and custom query filters to describe the approved private endpoint connections created for the selected storage account:

az storage account show
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
  --name mediastorageaccount
  --query 'privateEndpointConnections'

04 The command output should return the configuration information available for each approved private endpoint connection:

[]

If the storage account show command output returns an empty array, i.e. [], as shown in the example above, there are no approved private endpoint connections available for the storage account, therefore the selected Microsoft Azure Storage account is not using private endpoints for secure access.

05 Repeat steps no. 3 and 4 for each storage account provisioned in the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

In Azure cloud, you can use private endpoints to privately connect to a service or resource. To create and configure private endpoints for your Microsoft Azure Storage accounts, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Storage blade at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to access from the Subscription filter box and choose Apply.

04 Click on the name (link) of the Azure Storage account that you want to configure.

05 In the blade navigation panel, under Security + networking, choose Networking to access the networking settings available for the selected storage account.

06 Select the Private endpoint connections tab and choose Private endpoint to create a new private endpoint connection.

07 On the Create a private endpoint setup page, perform the following operations:

  1. For Basics, select the target Azure subscription, resource group, and region, and type a name for the new private endpoint connection in the Name box. The Network Interface Name will be automatically completed. The private endpoint must be in the same region as your virtual network (VNet). Choose Next : Resource > to continue the setup process.
  2. For Resource, select the target sub-resource that your private endpoint will be able to access, such as a table, blob, queue, file, etc. Choose Next : Virtual Network > to continue.
  3. For Virtual Network, select the Virtual Network (VNet) and VNet subnet that your storage account will be connecting to via private endpoint connection, choose whether to dynamically or statically allocate the required IP address, and configure the application security group. Choose Next : DNS > to continue the setup.
  4. For DNS, choose whether to use a private DNS integration. To connect privately with your private endpoint, you must add a DNS record. If you choose to integrate with a private DNS zone, the Azure console will create the required DNS record. Choose Next : Tags > to continue.
  5. For Tags, configure any required tags sets and choose Next : Review + create > to continue.
  6. For Review + create, review the resource configuration details and choose Create to deploy the new, auto-approved, private endpoint for your Azure Storage account.

08 Repeat steps no. 4 – 7 for each storage account that you want to configure, available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription available within your Microsoft Azure cloud account.

Using Azure CLI

01 Run network private-endpoint create command (Windows/macOS/Linux) to create a new, auto-approved, private endpoint with dynamic IP for the selected Microsoft Azure Storage account:

az network private-endpoint create
  --name cc-media-storage-private-endpoint 
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd 
  --resource-group cloud-shell-storage-westeurope 
  --location westeurope 
  --vnet-name cc-azure-vnet 
  --subnet default 
  --private-connection-resource-id /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/mediastorageaccount 
  --connection-name cc-media-storage-private-connection 
  --group-id blob

02 The command output should return the configuration information available for the new private endpoint:

{
	"customDnsConfigs": [
		{
			"fqdn": "mediastorageaccount.blob.core.windows.net",
			"ipAddresses": [
				"10.0.0.15"
			]
		}
	],
	"customNetworkInterfaceName": "",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/cc-media-storage-private-endpoint",
	"ipConfigurations": [],
	"location": "westeurope",
	"manualPrivateLinkServiceConnections": [],
	"name": "cc-media-storage-private-endpoint",
	"networkInterfaces": [
		{
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkInterfaces/cc-media-storage-private-endpoint.nic.abcdabcd-1234-abcd-1234-abcdabcdabcd",
			"resourceGroup": "cloud-shell-storage-westeurope"
		}
	],
	"privateLinkServiceConnections": [
		{
			"groupIds": [
				"blob"
			],
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/cc-media-storage-private-endpoint/privateLinkServiceConnections/cc-media-storage-private-connection",
			"name": "cc-media-storage-private-connection",
			"privateLinkServiceConnectionState": {
				"actionsRequired": "None",
				"description": "Auto-Approved",
				"status": "Approved"
			},
			"privateLinkServiceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/mediastorageaccount",
			"provisioningState": "Succeeded",
			"resourceGroup": "cloud-shell-storage-westeurope",
			"type": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections"
		}
	],
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"subnet": {
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-azure-vnet/subnets/default",
		"resourceGroup": "cloud-shell-storage-westeurope"
	},
	"type": "Microsoft.Network/privateEndpoints"
}

03 Repeat steps no. 1 and 2 for each storage account that you want to configure, available in the selected Azure subscription.

04 Repeat steps no. 1 – 3 for each subscription available within your Microsoft Azure cloud account.

References

Publication date Aug 2, 2022