Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Private Endpoint in Use

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: StorageAccounts-023

Ensure that private endpoints are configured for Microsoft Azure Storage accounts in order to allow clients and services to securely access data located over a network via an encrypted Private Link connection.

This rule can help you with the following compliance standards:

  • CISAZUREF

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Securing traffic between cloud services through encryption protects your data from interception methods such as eavesdropping and Man-in-the-Middle (MITM) attacks. To protect against these types of attacks, ensure that your Azure Storage accounts are configured to use private endpoints. A private endpoint is a secure network interface that enables private access to Azure cloud services such as Azure Storage, Azure SQL Database, or Azure App Service from within a Virtual Network (VNet), using private IP addresses. It allows you to connect to Azure services without exposing them to the Internet, enhancing network security and isolation.

Audit

To determine if network access to Azure Storage accounts is allowed via private endpoints only, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Storage account, and choose Apply to list only the Storage accounts available in the selected Azure subscription.

05 Click on the name (link) of the Azure Storage account that you want to examine.

06 In the resource navigation panel, under Security + networking, choose Networking to access the networking settings available for the selected Storage account.

07 Select the Firewalls and virtual networks tab and check the Public network access configuration setting to determine the level of access configured for the selected resource. If Public network access is set to Disabled, network access via public endpoints or selected networks is disabled, therefore, you can continue the Audit process with the next step. Otherwise, the Audit process stops here.

08 Select the Private endpoint connections tab and check for any approved private endpoints configured for your Storage account. An approved private endpoint connection is a private endpoint with the Connection State set to Approved. If there are no approved private endpoints available on this page, the selected Microsoft Azure Storage account is not configured to allow network access via private endpoints only.

09 Repeat steps no. 5 – 8 for each Azure Storage account available within the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage account list command (Windows/macOS/Linux) with custom output filters to describe the name of each Azure Storage account available in the selected subscription: 

az storage account list
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--query '[*].name'

05 The command output should return the requested resource identifiers (names): 

[
	"project5storageaccount",
	"mediastorageaccount",
	"prodstorageaccount"
]

06 Run storage account show command (Windows/macOS/Linux) with the name of the Azure Storage account that you want to examine as the identifier parameter and custom output filters to determine if the public network access to the selected Storage account is disabled: 

az storage account show
	--name project5storageaccount
	--query '{networkRuleSet:networkRuleSet.defaultAction,publicNetworkAccess:publicNetworkAccess}'

07 The command output should return the status of the default network access rule used by the selected Storage account (i.e. "networkRuleSet" value) and the status of the "publicNetworkAccess" setting: 

{
	"networkRuleSet": "Deny",
	"publicNetworkAccess": "Disabled"
}

If the command output returns "Deny" for "networkRuleSet" and "Disabled" for "publicNetworkAccess", as shown in the example above, network access via public endpoints or selected networks is disabled, therefore, you can continue the Audit process with the next step. Otherwise, the Audit process stops here.

08 Run storage account show command (Windows/macOS/Linux) with the name of the Azure Storage account that you want to examine as the identifier parameter and custom output filters to describe the approved private endpoint connections created for the selected storage account: 

az storage account show
	--name project5storageaccount
	-query 'privateEndpointConnections'

09 The command output should return the configuration information available for each approved private endpoint connection: 

[]

If the storage account show command output returns an empty array, i.e., [], there are no approved private endpoint connections associated with your Storage account, therefore, the selected Microsoft Azure Storage account is not configured to allow network access via private endpoints only.

10 Repeat steps no. 6 - 9 for each Azure Storage account available in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

In Azure cloud, you can use private endpoints to privately connect to a service or resource. To ensure that your Microsoft Azure Storage accounts are accessed exclusively through private endpoint connections, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Storage account, and choose Apply to list only the Storage accounts available in the selected Azure subscription.

05 Click on the name (link) of the Azure Storage account that you want to configure.

06 In the resource navigation panel, under Security + networking, choose Networking to access the networking settings available for the selected Storage account.

07 Select the Firewalls and virtual networks tab, set Public network access to Disabled, and choose Save to apply the changes. Once the network configuration is updated, no networks can access your resource. Private endpoint connections will be the exclusive way to access your Storage account.

08 Select the Private endpoint connections tab, choose + Private endpoint, and perform the following actions:

  1. For Basics, provide the following information:
    1. For Subscription, choose your Azure subscription.
    2. For Resource group, select the correct resource group.
    3. Provide a unique name for the private endpoint instance in the Name box.
    4. For Region, select the Azure cloud region where the private endpoint instance will be deployed.
    5. Choose Next : Resource > to continue the setup process.
  2. For Resource, select the target sub-resource that your private endpoint will be able to access, such as a blob, table, queue, file, web, and dfs. Choose Next : Virtual Network > to continue.
  3. For Virtual Network, perform the following operations:
    1. For Virtual network, choose the name of the Azure virtual network (VNet) that you want to use for your private endpoint.
    2. For Subnet, select the VNet subnet where the private endpoint will be deployed.
    3. (Optional) For Network policy for private endpoints, choose (edit) next to Disabled to configure network policies for the selected VNet subnet.
    4. For Private IP configuration, choose whether to dynamically or statically allocate the private IP address.
    5. (Optional) For Application security group, choose Create to create an Application Security Group (ASG) if required. ASGs allow you to configure network security by grouping Azure resources and defining policies based on these groups.
    6. Choose Next : DNS > to continue.
  4. For DNS, select Yes for Integrate with private DNS zone under Private DNS integration, to integrate your private endpoint with a private DNS zone. Ensure that the correct subscription and resource group are selected for the private DNS zone. Choose Next : Tags > to continue the setup.
  5. For Tags, use the Name, Value, and Resource fields to create tags that will help organize the identity of the selected resource. Choose Next : Review + create > to validate the private endpoint setup.
  6. For Review + create, review the resource configuration details, then choose Create to create your new, auto-approved private endpoint.

09 Repeat steps no. 5 - 8 for each Azure Storage account that you want to configure, available within the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage account update command (OSX/Linux/UNIX) with the name of the Azure Storage account that you want to configure as the identifier parameter, to disable network access to the selected Storage account. Once the network configuration changes are applied, no networks can access your resource. Private endpoint connections will be the exclusive way to access your Storage account: 

az storage account update
	--name project5storageaccount
	--default-action Deny
	--public-network-access Disabled
	--query 'id'

05 The command output should return the resource ID of modified Azure Storage account: 

"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/project5storageaccount"

06 Run network private-endpoint create command (Windows/macOS/Linux) to create and attach a private endpoint to your Microsoft Azure Storage account. Use the --private-connection-resource-id command parameter to specify the Storage account resource ID returned at the previous step. For the --group-id parameter, specify the target sub-resource that you want to use (in this case, blob): 

az network private-endpoint create
	--name cc-project5-private-endpoint
	--resource-group cloud-shell-storage-westeurope
	--vnet-name cc-project5-vnet
	--subnet cc-project5-vnet-subnet-001
	--private-connection-resource-id "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/project5storageaccount"
	--connection-name cc-project5-sa-private-connection
	--group-id blob
	--location westeurope

07 The command output should return the configuration information for your new, auto-approved private endpoint: 

{
	"customDnsConfigs": [
		{
			"fqdn": "project5storageaccount.blob.core.windows.net",
			"ipAddresses": [
				"10.0.0.8"
			]
		}
	],
	"customNetworkInterfaceName": "",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/cc-project5-private-endpoint",
	"ipConfigurations": [],
	"location": "westeurope",
	"manualPrivateLinkServiceConnections": [],
	"name": "cc-project5-private-endpoint",
	"networkInterfaces": [
		{
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkInterfaces/cc-project5-private-endpoint.nic.abcdabcd-1234-abcd-1234-abcdabcdabcd",
			"resourceGroup": "cloud-shell-storage-westeurope"
		}
	],
	"privateLinkServiceConnections": [
		{
			"groupIds": [
				"blob"
			],
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/cc-project5-private-endpoint/privateLinkServiceConnections/cc-project5-sa-private-connection",
			"name": "cc-project5-sa-private-connection",
			"privateLinkServiceConnectionState": {
				"actionsRequired": "None",
				"description": "Auto-Approved",
				"status": "Approved"
			},
			"privateLinkServiceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/project5storageaccount",
			"provisioningState": "Succeeded",
			"resourceGroup": "cloud-shell-storage-westeurope",
			"type": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections"
		}
	],
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"subnet": {
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet/subnets/cc-project5-vnet-subnet-001",
		"resourceGroup": "cloud-shell-storage-westeurope"
	},
	"type": "Microsoft.Network/privateEndpoints"
}

08 Repeat steps no. 4 - 7 for each Storage account that you want to configure, available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Aug 2, 2022

Related StorageAccounts rules