Share via

How to Secure Access to Storage Account for a Custom Script Used During VM Creation

razec18 220 Reputation points
2025-01-03T10:12:01.27+00:00

Hi everyone,

I have a storage account that hosts a custom PowerShell script. This script is used during the creation of virtual machines to perform tasks such as joining the machine to a domain, changing the timezone to Brazil, and making other minor configurations.

Currently, the storage account is accessible over the public internet (allowing all network connections), which raises security concerns. Since the VM needs to access the storage account during its provisioning process to retrieve the script, I am looking for ways to enhance the security of this setup.

Would implementing a private endpoint be a good approach for this scenario? Or is there another recommended method to secure the storage account while still allowing the VM to access it during creation?

Any advice or ideas would be greatly appreciated.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,305 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hari Babu Vattepally 1,200 Reputation points Microsoft Vendor
    2025-01-03T15:31:58.8433333+00:00

    Hi @razec18

    Welcome to Microsoft Q&A Forum. Thanks for posting your query here!

    I understand that you would like to Secure Access to Storage Account for a Custom Script Used During VM Creation.

    Yes, by implementing a private endpoint is a good approach to secure your storage account while allowing access from virtual machines (VMs). A private endpoint provides secure connectivity between clients on your virtual network (VNet) and your storage account, ensuring that the traffic does not traverse the public internet, which eliminates exposure to the public internet. This setup allows the VMs to securely retrieve the custom PowerShell script without the risks associated with public access.

    Firstly, create a private endpoint- Go to the Azure portal, navigate to your storage account, and create a new Private Endpoint.

    Once the private end point is created, configure the Private Endpoint by selecting the virtual network and subnet where your VMs will be created.

    And then modify your VM creation script to use the Private Endpoint's IP address or DNS name to access the storage account.

    Additionally, you can configure the storage firewall to block connections from the public endpoint, further securing your storage account.

    For more additional information, please refer the following documents:

    Connect to a storage account using an Azure private endpoint

    Use private endpoints for Azure Storage

    Hope this helps in resolving the issue.

    Please let us know if this solves the issue and do let us know if you have any further queries.

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.