Limit storage account access to Application Gateway only

Hi Filip

Please use below steps to restrict access to your Azure storage account so that only your Application Gateway can send logs to it.

1. Configure the storage account to deny access from all networks by setting the network rules to "Deny" by default or check for Allow access from all networks is disabled.
2. Use a Private Endpoint or Service Endpoint to allow the Application Gateway to communicate with the storage account securely over the Azure backbone network.
3. https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal
4. For enhanced security, consider creating a private endpoint for your storage account.
5. This assigns a private IP address from your virtual network to the storage account, securing traffic between your virtual network and the storage account over a private link
6. You can check azure monitoring settings, ensure that your Azure monitoring settings are correctly configured to send logs to the storage account. https://learn.microsoft.com/en-us/azure/azure-monitor/platform/create-diagnostic-settings?tabs=portal

Additionally, you can implement log analytics to check the logs. For more details, please refer to the https://learn.microsoft.com/en-us/azure/application-gateway/log-analytics

Hope this helps you sort things out! Let me know if you need further assistance.

Thank you.

Hi Filip,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

This can be achieved through multiple ways, and it depends how you wish to achieve this. Refer the below methods and link given for reference -

• Allow access from selected virtual network subnets using private endpoints.
• Allow access from selected virtual network subnets using service endpoints.
• Allow access from specific public IP addresses or ranges.

https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#configure-network-access-to-azure-storage

1. Allow access from specific public IP addresses or ranges

• First if you wish that Application Gateway accesses the storage account over internet using its public ip address. and you block all the other traffic. In that case over Storage account Network settings, you can choose - Enabled from selected virtual networks and IP addresses option and add application gateway public ip address under the Firewall section. This way only application gateway will be able to access the storage account over internet.
• 

2. Allow access from selected virtual network subnets using service endpoints.

• If you wish to access the storage account over Microsoft backbone from the application gateway subnet you may use service endpoint, which will associate the storage account to the application gateway subnet over the Microsoft backbone.
• 3.Allow access from selected virtual network subnets using private endpoints.
• However, if you wish to completely block the internet access to public network access, you may choose the Disabled option and go ahead with Private endpoint connections.
• 

• Refer the below link for private endpoint creation.
• https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal?tabs=dynamic-ip

If the below answer addressed your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

Ujjawal Tyagi