Search code examples
azure-storageazure-cli

Azure CLI command to make changes to storage accounts

I was looking to get help with writing an Azure CLI command to make changes to storage accounts:

  • Storage accounts to use private link
  • Storage account public access to be blocked
  • Storage accounts should restrict network access using VNET rules
  • Firewall and Private Endpoint should be configured on key vault
Solution

  • Storage accounts to use private link

    • To Set/Approve a private endpoint connection for the Azure Storage account, AZ CLI command is the az storage accoount private-endpoint-connection approve.

    • To manage private-link resources on storage account, az storage account private-link-resource

    Storage account public access to be blocked

    There are 2 types of public access to allow or disallow to the Azure Storage accounts:

    • --public-network-access: Its values are Disabled, Enabled to the storage account.

    • --allow-blob-public-access: Its values are false, true which does the functionality of public access to all blobs or containers in the storage account.

    Storage accounts should restrict network access using VNET rules

    To allow the storage account within a specific address-range:

    az storage account network-rule add -g myRg --account-name mystorageaccount --ip-address 23.45.1.0/24

    To allow the access of storage account for a subnet:

    az storage account network-rule add -g myRg --account-name mystorageaccount --vnet-name myvnet --subnet mysubnet

    Note: --subnet means Name of ID or subnet. If name is supplied, --vnet-name (Name of a virtual network) must be supplied.

    Refer here for more information.

    Firewall and Private Endpoint should be configured on key vault

    There are plenty of AZ CLI commands on keyvault for approving, listing out, deleting, and managing the private-endpoint-connections like

    az keyvault private-endpoint-connection

az keyvault private-endpoint-connection approve

az keyvault private-endpoint-connection delete

az keyvault private-endpoint-connection list

az keyvault private-endpoint-connection reject

az keyvault private-endpoint-connection show

    To override the set firewall rules in the key Vault while creation or updating, use az keyvault --public-network-access, its values are Disabled, Enabled. This --public-network-access property is to specify whether the vault will accept traffic from public internet.

    Refer here for more information on AZ key Vault commands.

    Note: Complete list of Azure CLI Commands on Storage Accounts