Disable Public Network Access to Virtual Machine Disks

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Virtual machine, and choose Apply to list only the virtual machine (VM) instances available in the selected subscription.

05 Click on the name (link) of the Azure virtual machine that you want to examine.

06 In the VM navigation panel, under Settings, select Disks to view the disk volumes currently attached to the selected virtual machine.

07 Click on the name (link) of the VM disk that you want to examine.

08 In the disk navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected disk volume.

09 Check the Network access configuration setting to determine the level of access configured for the selected VM disk. If Network access is set to Enable public access from all networks, all networks, including the Internet, can access your disk. Therefore, the public network access to the selected Azure virtual machine (VM) disk is not disabled.

10 Repeat steps no. 7 - 9 for each VM disk provisioned for the selected virtual machine.

11 Repeat steps no. 5 – 10 for each Azure virtual machine available within the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run vm list command (Windows/macOS/Linux) with custom output filters to list the ID of each Azure virtual machine (VM) provisioned in the selected subscription:

az vm list
	--query '[*].id'

05 The command output should return the requested VM resource identifiers (IDs):

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project5-web-vm",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-wordpress-server"
]

06 Run vm show command (Windows/macOS/Linux) with the ID of the Azure virtual machine that you want to examine as the identifier parameter and custom output filters to describe the ID of each disk volume attached to the selected virtual machine:

az vm show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project5-web-vm"
	--query 'storageProfile.{"dataDisks":dataDisks[].managedDisk.id,"osDisk":osDisk.managedDisk.id}'

07 The command output should return an array with the requested disk volume identifiers (IDs):

{
	"osDisk": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-project5-web-vm_OsDisk_1",
	"dataDisks": [
		"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-project5-web-vm_DataDisk_0"
	]
}

08 Run disk show command (Windows/macOS/Linux) with the ID of the Azure VM disk volume that you want to examine as the identifier parameter and custom output filters to determine if the public network access to the selected disk volume is disabled:

az disk show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-project5-web-vm_OsDisk_1"
	--query '{networkAccessPolicy:networkAccessPolicy,publicNetworkAccess:publicNetworkAccess}'

09 The command output should return the status of the network access policy used by the selected disk (i.e. "networkAccessPolicy" value) and the status of the "publicNetworkAccess" setting configured for the resource:

{
	"networkAccessPolicy": "AllowAll",
	"publicNetworkAccess": "Enabled"
}

10 Repeat steps no. 8 and 9 for each VM disk provisioned for the selected virtual machine.

11 Repeat steps no. 6 – 10 for each Azure virtual machine available in the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Virtual machine, and choose Apply to list only the virtual machine (VM) instances available in the selected subscription.

05 Click on the name (link) of the Azure virtual machine that you want to examine.

06 In the VM navigation panel, under Settings, select Disks to view the disk volumes attached to the selected virtual machine.

07 Click on the name (link) of the VM disk that you want to examine.

08 In the disk navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected disk volume.

09 In the Network access section, choose Disable public and private access to disable both public and private network access to the selected Azure virtual machine disk. Choose Save to apply the configuration settings.

10 Repeat steps no. 7 - 9 for each VM disk provisioned for the selected virtual machine.

11 Repeat steps no. 5 – 10 for each Azure virtual machine available within the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run disk update command (Windows/macOS/Linux) with the ID of the Azure VM disk volume that you want to configure as the identifier parameter, to disable both public and private network access to the selected VM disk:

az disk update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-project5-web-vm_OsDisk_1"
	--public-network-access Disabled
	--network-access-policy DenyAll

05 The command output should return the configuration information available for the modified resource:

{
	"creationData": {
		"createOption": "FromImage"
	},
	"diskIOPSReadWrite": 120,
	"diskMBpsReadWrite": 25,
	"diskSizeBytes": 32213303296,
	"diskSizeGB": 30,
	"diskState": "Attached",
	"encryption": {
		"type": "EncryptionAtRestWithPlatformKey"
	},
	"hyperVGeneration": "V2",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-project5-web-vm_OsDisk_1",
	"location": "westeurope",
	"managedBy": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-project5-web-vm",
	"name": "cc-project5-web-vm_OsDisk_1",
	"networkAccessPolicy": "DenyAll",
	"osType": "Linux",
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Disabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sku": {
		"name": "Premium_LRS",
		"tier": "Premium"
	},
	"supportedCapabilities": {
		"acceleratedNetwork": true,
		"architecture": "x64",
		"diskControllerTypes": "SCSI, NVMe"
	},
	"supportsHibernation": true,
	"tier": "P4",
	"zones": [
		"1"
	]
}

06 Repeat steps no. 4 and 5 for each VM disk provisioned for the selected virtual machine.

07 Repeat steps no. 4 – 6 for each Azure virtual machine available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

01 Sign in to the Azure Management Console.

02 Navigate to Disk Accesses blade available at https://portal.azure.com/#browse/Microsoft.Compute%2FdiskAccesses.

03 Choose Create and perform the following actions to create a disk access resource. This Azure resource gives you control over the network(s) that can access data on your virtual machine (VM) disks:

1. For Basics, provide the following information:
   1. For Subscription, choose your Azure subscription.
   2. For Resource group, select the correct resource group.
   3. Provide a unique name for the disk access instance in the Name box.
   4. For Region, select the Azure cloud region where the disk access instance will be deployed.
   5. Choose Next : Tags > to continue the setup process.
2. For Tags, use the Name, Value, and Resource fields to create tags that will help organize the identity of the selected resource. Choose Next : Review + create > to validate the disk access setup.
3. For Review + create, review the resource configuration details, and choose Create to create your disk access resource.

04 Once your disk access instance is available, you can create and attach the required private endpoint. Choose Go to resource and select Private endpoint connections under Settings. Choose Private endpoint and perform the following operations to create a new private endpoint connection:

1. For Basics, provide the following information:
   1. For Subscription, choose your Azure subscription.
   2. For Resource group, select the correct resource group.
   3. Provide a unique name for the private endpoint instance in the Name box.
   4. For Region, select the Azure cloud region where the private endpoint instance will be deployed.
   5. Choose Next : Resource > to continue the setup process.
2. For Resource, select disks from the Target sub-resource dropdown list. Choose Next : Virtual Network > to continue the setup.
3. For Virtual Network, perform the following operations:
   1. For Virtual network, choose the name of the Azure virtual network (VNet) that you want to use for your private endpoint.
   2. For Subnet, select the VNet subnet where the private endpoint will be deployed.
   3. (Optional) For Network policy for private endpoints, choose (edit) next to Disabled to configure network policies for the selected VNet subnet.
   4. For Private IP configuration, choose whether to dynamically or statically allocate the private IP address.
   5. (Optional) For Application security group, choose Create to create an Application Security Group (ASG) if required. ASGs allow you to configure network security by grouping Azure resources and defining policies based on these groups.
   6. Choose Next : DNS > to continue.
4. For DNS, select Yes for Integrate with private DNS zone under Private DNS integration, to integrate your private endpoint with a private DNS zone. Ensure that the correct subscription and resource group are selected for the private DNS zone. Choose Next : Tags > to continue the setup.
5. For Tags, use the Name, Value, and Resource fields to create tags that will help organize the identity of the selected resource. Choose Next : Review + create > to validate the private endpoint setup.
6. For Review + create, review the resource configuration details, then choose Create to create and attach the new private endpoint to your Azure disk access instance.

05 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

06 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

07 From the Type equalls all filter box, choose Equals, select Virtual machine, and choose Apply to list only the virtual machine (VM) instances available in the selected subscription.

08 Click on the name (link) of the Azure virtual machine that you want to access.

09 In the VM navigation panel, under Settings, select Disks to view the disk volumes attached to the selected virtual machine.

10 Click on the name (link) of the VM disk that you want to configure.

11 In the disk navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected disk volume.

12 In the Networking page, perform the following actions:

1. For Network access, choose Disable public access and enable private access.
2. For Disk access, select the Azure disk access instance created in the previous steps. This allows you to protect your VM disk with Azure Private Link. The disk access instance will only allow operations through the configured private endpoint.
3. Choose Save to apply the configuration settings. This will disable public access and enable private network access to the selected Azure virtual machine disk.

13 Repeat steps no. 10 - 12 for each VM disk available for the selected virtual machine.

14 Repeat steps no. 8 – 13 for each Azure virtual machine available within the selected subscription.

15 Repeat steps no. 3 – 14 for each subscription created in your Microsoft Azure cloud account.

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run disk-access create command (OSX/Linux/UNIX) to create your Azure disk access instance. This Azure cloud resource gives you control over the network(s) that can access data on your virtual machine (VM) disks:

az disk-access create
	--name cc-project5-disk-access
	--resource-group cloud-shell-storage-westeurope
	--location westeurope

05 The command output should return the configuration information available for the new disk access instance:

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/diskAccesses/cc-project5-disk-access",
	"location": "westeurope",
	"name": "cc-project5-disk-access",
	"privateEndpointConnections": null,
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"tags": null,
	"type": "Microsoft.Compute/diskAccesses"
}

06 Run network private-endpoint create command (Windows/macOS/Linux) to create and attach a private endpoint to your Azure disk access instance. Use the --private-connection-resource-id command parameter to specify the disk access instance ID returned at the previous step:

az network private-endpoint create
	--name cc-private-endpoint-connection
	--resource-group cloud-shell-storage-westeurope
	--vnet-name cc-project5-vnet
	--subnet cc-vnet-subnet-001
	--private-connection-resource-id "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/diskAccesses/cc-project5-disk-access"
	--connection-name cc-project5-vm-disk-private-connection
	--group-id disks
	--location westeurope

07 The command output should return the configuration information for your new private endpoint:

{
	"customDnsConfigs": [
		{
			"fqdn": "ad-abcd-avcd1234abcd.z2.blob.storage.azure.net",
			"ipAddresses": [
				"10.0.0.8"
			]
		}
	],
	"customNetworkInterfaceName": "",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/cc-private-endpoint-connection",
	"ipConfigurations": [],
	"location": "westeurope",
	"manualPrivateLinkServiceConnections": [],
	"name": "cc-private-endpoint-connection",
	"networkInterfaces": [
		{
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkInterfaces/cc-private-endpoint-connection.nic.abcdabcd-1234-abcd-1234-abcdabcdabcd",
			"resourceGroup": "cloud-shell-storage-westeurope"
		}
	],
	"privateLinkServiceConnections": [
		{
			"groupIds": [
				"disks"
			],
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/cc-private-endpoint-connection/privateLinkServiceConnections/cc-project5-vm-disk-private-connection",
			"name": "cc-project5-vm-disk-private-connection",
			"privateLinkServiceConnectionState": {
				"actionsRequired": "None",
				"description": "Auto-Approved",
				"status": "Approved"
			},
			"privateLinkServiceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/diskAccesses/cc-project5-disk-access",
			"provisioningState": "Succeeded",
			"resourceGroup": "cloud-shell-storage-westeurope",
			"type": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections"
		}
	],
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"subnet": {
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-web-vm-vnet/subnets/default",
		"resourceGroup": "cloud-shell-storage-westeurope"
	},
	"type": "Microsoft.Network/privateEndpoints"
}

08 Run disk update command (Windows/macOS/Linux) with the ID of the Azure VM disk volume that you want to configure as the identifier parameter, to associate your Azure disk access instance with the selected VM disk. This will disable public access and enable private network access to the selected Azure virtual machine disk:

az disk update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-project5-web-vm_OsDisk_1"
	--disk-access "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/diskAccesses/cc-project5-disk-access"
	--network-access-policy AllowPrivate

09 The command output should return the configuration information available for the modified resource:

{
	"creationData": {
		"createOption": "FromImage"
	},
	"diskIOPSReadWrite": 120,
	"diskMBpsReadWrite": 25,
	"diskSizeBytes": 32213303296,
	"diskSizeGB": 30,
	"diskState": "Attached",
	"encryption": {
		"type": "EncryptionAtRestWithPlatformKey"
	},
	"hyperVGeneration": "V2",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-project5-web-vm_OsDisk_1",
	"location": "westeurope",
	"managedBy": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-project5-web-vm",
	"name": "cc-project5-web-vm_OsDisk_1",
	"networkAccessPolicy": "DenyAll",
	"osType": "Linux",
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Disabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sku": {
		"name": "Premium_LRS",
		"tier": "Premium"
	},
	"supportedCapabilities": {
		"acceleratedNetwork": true,
		"architecture": "x64",
		"diskControllerTypes": "SCSI, NVMe"
	},
	"supportsHibernation": true,
	"tier": "P4",
	"zones": [
		"1"
	]
}

10 Repeat steps no. 8 and 9 for each VM disk provisioned for the selected virtual machine.

11 Repeat steps no. 8 – 10 for each Azure virtual machine available in the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.