Unable to bypass network traffic through firewall, if private link is configured for storage account.

Paritosh Kabra 0

I have a firewall configured in subnet x in my vnet.
I also have an aks cluster launched in the same vnet, within subnet y.

I have configured a private endpoint for a storage account, and am trying to access the same from my aks subnet, which is successfully accessible.

In my knowledge, since this traffic is internal subnet traffic within the vnet, this shouldn't have been going through the firewall, since the routing configuration passes the traffic through firewall if it's an internet traffic (wildcard match again 0.0.0.0/0).

Deepanshukatara-6769 10,765 Reputation points

2024-11-04T05:18:47.9933333+00:00
Hello Paritosh, Welcome to MS Q&A

Your understanding is correct. If the traffic is internal to the virtual network (VNet) and is between subnets within the same VNet, it should not pass through the firewall unless explicitly configured to do so. The firewall is typically used to control traffic between the VNet and external networks, such as the internet.

To configure a firewall in a Virtual Network (VNet) with Azure Kubernetes Service (AKS) and a private endpoint, you can follow these steps:

Set Up Azure Firewall: Create an Azure Firewall instance in your VNet. This will act as a central point for managing traffic.

Private Endpoint Configuration: Ensure that your private endpoint is set up correctly to allow communication between your AKS and other Azure services privately.

Network Rules: Configure network rules in Azure Firewall to allow traffic to and from your AKS cluster. You may need to allow specific ports (like TCP 443 for HTTPS) for communication with services such as Microsoft Entra ID and Azure Resource Manager.

User-Defined Routes (UDR): Create a User-Defined Route that directs traffic to the Azure Firewall for the subnets associated with your AKS cluster. This ensures that traffic is routed through the firewall.

Inspect Traffic: Use Azure Firewall to inspect or block traffic destined for your private endpoints. This can be done by configuring application rules for HTTP, HTTPS, and other protocols.

Testing Connectivity: After configuration, validate connectivity by accessing services through the firewall's public IP address.

By following these guidelines, you can effectively manage and secure traffic in your VNet with AKS and private endpoints.

References:

Use Azure Firewall to protect Azure Kubernetes Service (AKS) clusters

Azure Firewall scenarios to inspect traffic destined to a private endpoint

Please let us know if you have any further questions

Kindly accept answer if it helps

Thanks

Deepanshu
Paritosh Kabra 0 Reputation points

2024-11-04T06:28:23.2266667+00:00

Thanks for your response. But I had already configured the azure firewall and route table for the internet traffic as mentioned in:

The problem is even though I have my private endpoint configured for storage account, this is still visible in the logs obtained from azure firewall, that the traffic of uploading data to the storage account is going through the firewall.

And seem to fail without an ALLOW rule for Microsoft.Storage service tag in the firewall ALLOW rules.
Deepanshukatara-6769 10,765 Reputation points

2024-11-04T10:22:57.4833333+00:00

Ok then I think network policies are enabled for your subnet in a virtual network by default it should be disabled so that certain security rules or configurations—specifically those involving Network Security Groups (NSGs) and User-Defined Routes (UDRs)—do not apply to private endpoints within that subnet.

Please check this doc for more ref and also look for steps to disable this policy if enabled

https://learn.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy?tabs=network-policy-portal\

If still have questions , please let me know

1 answer

KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee

2024-11-05T05:57:07.4166667+00:00
@Paritosh Kabra ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that

You have a Private EndPoint for Storage Account

Internet traffic are expected to go via Azure Firewall using the 0.0.0.0/0 route in UDR

However, despite having the PE, you see the traffic is going via Azure Firewall.

Please note that having a Private EndPoint alone does not guarantee that the traffic stays within the VNET (or peered networks)

You should also have a Private DNS Zone that resolves the Storage Account's FQDN to the Private IP of the Storage Account's PE

Without this, the DNS would resolve to the Public IP of the Storage Account and traffic would go to Internet (via Firewall in your case because of 0.0.0.0/0 route)

See : DNS changes for private endpoints

As next steps,

Can you confirm if Private DNS Zone is in place?

Can you run the below commands from your VM?

nslookup <StorageAccountFQDN>

nslookup <StorageAccountFQDN> 8.8.8.8

nslookup <StorageAccountFQDN> 168.63.129.16

If you see the above commands resolving to a Public IP,

Please create a Private DNS Zone matching your service : Storage

Create an A record with the record value as StorageAccountName and value as the Private EndPoint IP : https://learn.microsoft.com/en-us/azure/dns/dns-private-records

Link this to the Azure VNET : https://learn.microsoft.com/en-us/azure/dns/private-dns-getstarted-portal#link-the-virtual-network

Let us know how this goes

Cheers,

Kapil
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Unable to bypass network traffic through firewall, if private link is configured for storage account.

1 answer

Your answer