Search code examples
azureazure-virtual-machine

Azure VM disk with public access

Why the recommended step for the "Azure VM disk with public access" points to enabling private access link with private endpoint instead of just disabling the public access on the VM disk. I tried manually disabling the public access on I did not see any impact. If disabling the public access would work then I am thinking of applying `# Connect to Azure Connect-AzAccount

# Get all VM disks with public access enabled

$disks = Get-AzDisk | Where-Object { $_.DiskState -eq 'Attached' -and $_.DiskSizeGB -gt 0 -and $\_.PublicAccess -eq 'Enabled' }

# Disable public access for each disk

foreach ($disk in $disks) {
Write-Host "Disabling public access for disk $($disk.Name)..."

    # Update the disk with public access disabled
    $disk | Set-AzDiskAccess -Access Read -DisallowPublicAccess
    Write-Host "Public access disabled for disk $($disk.Name)."

}

Trying to figure out best and easiest way to stay compliant.

Solution

  • Enabling Private Endpoint with Private Access Link for Azure VM disks will provide more security and control over accessing the disk, but it does not prevent access from other Azure resources or within the Azure Virtual Network.

    If you disable the public access on the Azure VM disk will restrict access from the public internet and does not provide the same level of isolation and control as using Private Endpoint and Private Access Link.

    The recommendation to use Private Endpoint with Private Access Link for Azure VM disks with public access aims to provide a high secure solution that aligns with best practices for network security.

    Here is the updated script to disable public access on all VM disks that have public access enabled.

        #Get all VM disks with public access enabled
    $disks = Get-AzDisk | Where-Object { $_.DiskState -eq 'Attached' -and $_.DiskSizeGB -gt 0 -and $_.PublicAccess -eq 'Enabled' }
    
    #Disable public access for each disk
    foreach ($disk in $disks) {
        Write-Host "Disabling public access for disk $($disk.Name)..."
        
        # Update the disk with public access disabled
        $disk | New-AzDiskUpdateConfig -PublicNetworkAccess "Disabled" -NetworkAccessPolicy "AllowPrivate"
        Write-Host "Public access disabled for disk $($disk.Name)."
    }

    Output:

    enter image description here