How to Add a Virtual Network to Azure Storage Account Firewall Across Regions and Tenants

Adding a virtual network from another tenant to an Azure Storage account firewall is a common scenario for testing connectivity, sharing files securely, or enabling collaboration between partners. This ensures data access is restricted to specific networks without exposing the storage account to all networks.

In this guide, we’ll focus on achieving this goal using PowerShell and Azure CLI on local machines. We’ll also provide tips and considerations for cross-region and cross-tenant configurations.


Key Use Case

This approach is ideal for scenarios such as:

  • Testing connectivity between applications in different tenants or regions.
  • Allowing partners or collaborators to securely access files without opening the storage account to all networks.

Prerequisites

Before proceeding, ensure the following:

  1. You have access to the Azure subscription containing the storage account.
  2. You have administrative privileges for the virtual network and subnet in the other tenant or region.
  3. You’ve installed the required tools: Azure PowerShell or Azure CLI.

PowerShell Approach

Step 1: Install the Az Module

Follow the step-by-step instructions on Microsoft Learn to Install Azure PowerShell on Windows.

Step 2: Configure the Virtual Network and Storage Account Firewall

Run the following commands in your PowerShell session:

# Import Az.Storage module
Import-Module -Name Az.Storage

# Authenticate and connect to your Azure account
Connect-AzAccount

# Select the subscription containing the storage account
Select-AzSubscription -SubscriptionId "xxxx-xxxx-xxxx-xxxx"

# List existing virtual network rules for the storage account
(Get-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount").VirtualNetworkRules

# Enable a service endpoint for Azure Storage on an existing virtual network and subnet
Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Set-AzVirtualNetworkSubnetConfig -Name "mysubnet" -AddressPrefix "10.0.0.0/24" -ServiceEndpoint "Microsoft.Storage.Global" | Set-AzVirtualNetwork

# Add a network rule for the virtual network and subnet
$subnet = Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Get-AzVirtualNetworkSubnetConfig -Name "mysubnet"
Add-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -VirtualNetworkResourceId $subnet.Id

Azure CLI Approach

Step 1: Install Azure CLI

Follow the installation guide for your platform: Install Azure CLI.

Step 2: Configure the Virtual Network and Storage Account Firewall

Run the following commands in your CLI session:

# Authenticate and sign in to your Azure account
az login

# List existing virtual network rules for the storage account
az storage account network-rule list --resource-group "myresourcegroup" --account-name "mystorageaccount" --query virtualNetworkRules

# Enable a service endpoint for Azure Storage on an existing virtual network and subnet
az network vnet subnet update --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --service-endpoints "Microsoft.Storage.Global"

# Add a network rule for the virtual network and subnet
subnetid=$(az network vnet subnet show --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --query id --output tsv)
az storage account network-rule add --resource-group "myresourcegroup" --account-name "mystorageaccount" --subnet $subnetid

Special Considerations

Cross-Tenant Virtual Network Rules

To add a network rule for a subnet in a virtual network that belongs to another Microsoft Entra tenant, you must use the fully qualified VirtualNetworkResourceId parameter. The format is:

/subscriptions/<subscription-ID>/resourceGroups/<resourceGroup-Name>/providers/Microsoft.Network/virtualNetworks/<vNet-name>/subnets/<subnet-name>

Ensure you have the correct subscription ID and resource group details for the virtual network in the other tenant.

Cross-Region Service Endpoints

Local and cross-region service endpoints cannot coexist on the same subnet. If you need to replace existing service endpoints with cross-region ones:

  1. Delete the existing Microsoft.Storage endpoints.
  2. Recreate them as cross-region endpoints (Microsoft.Storage.Global).

Extra Tips

  1. Testing Connectivity
    After adding the virtual network rule, test connectivity to the storage account using tools like Azure Storage Explorer or application-specific configurations.
  2. Documentation Reference
    For detailed instructions, refer to Configure Azure Storage firewalls and virtual networks.
  3. Cost Considerations
    • Enabling service endpoints may incur additional costs depending on your Azure pricing model.
    • Cross-region configurations typically involve higher network egress charges.

Conclusion

Adding a virtual network from a different region or tenant to an Azure Storage account firewall is a straightforward process when using PowerShell or Azure CLI. By following the steps outlined in this guide, you can configure secure access to your storage account while maintaining strict network rules.

Leave a Comment