Event Grid dead letter container security
I currently have several Event Subscriptions configured on an Event Grid Domain Topic, some of which have dead lettering configured to various Storage Account Blob Containers. At the moment this Storage Account allows public access on the Acces Control List.
I am looking to improve our security posture on this Storage Account and was wondering if changing this to Enabled from selected virtual networks and IP addresses and selecting the allow Azure services on the trusted services list to access this storage account will allow Event Grid to write to the Storage Account Blob containers.
The Trusted access for resources registered in your subscription section of the documentation is not clear to me if publishing to Blob containers is a supported scenario. Anyone configured Storage Account network access lists to support this scenario?
TLDR
Securing the storage account by clicking the "Enabled from selected virtual networks and IP addresses" button on the networking tab of the Storage Account restricts all access from public networks. The important part of this process is to enable the "Allow Azure services on the trusted services list to access this storage account." network exception rule to allow Event Grid to communicate.
I will close this ticket and raise another story / tasks to action the change in the normal release cycle.
The long explanation
I create a new resources group containing a new Event Grid Domain, Topic, Subscription and a Function App endpoint as the subscription endpoint. I used Postman on my machine to publish events to this topic. A publicly accessible storage account was created with a blob container for the dead letter queue.
Round 1
All services publicly accessible I published several messages to the topic. From monitoring the function app log I could see these messages were reaching the target successfully. Checking the dead letter container after 5 minutes resulting in no entries. Checking the Event Grid subscription showed successful delivery.
Round 2
I stopped the Subscription endpoint function app and published 10 events, the storage account was still publicly accessible. Event grid shows the matched subscriptions and failed deliveries. After 5 minutes event grid shown the dead lettered events. Checking the storage account I could see the dead letter blob container container date based folder structure and json files containing the failed messages.
Round 3
I enabled the network restrictions and Allow Azure services on the trusted services list to access this storage account exception on the storage account. I published 10 events to the event grid topic which shows the matched subscriptions and failed deliveries. After 5 minutes event grid shows the dead lettered events. Checking the storage account new dead letter folders and json files were present
Round 4
As these network changes can sometimes take several minutes to fully propagate I reran the same test over the next hour and after lunch. This again successfully created new folders and json files for the failed delivered events.
The why?
Why did we need to do the test this way? Well, the documentation is unclear on what the Azure trusted service encompasses, specific the event grid select reads - Enable Blob Storage event publishing and allow Event Grid to publish to storage queues. Learn about blob storage events and publishing to queues. This is unclear, to ne anyway, if publishing to dead letter blob containers is covered by this functionality.
I will raise a change with MS to update the documentation.