what is accessing my storage account?

Question

Hi.

I have an old azure migrate storage account (+- 1Tb) i wish to remove

I still see transactions to the storage account so I enabled diagnostic settings to write all events to log analytics workspace.

All transactions come from private IP addresses, I assume service endpoints. See below for an example.

How can i find out what is still want to write files ? And determine if it's safe to delete this storage account?

Answer 1

Hi Tommie van Lent - Thanks for reaching out over Q&A Forum.

Yes, in order to start with investigation as to what is accessing the account, it is suggested to enable the diagnostic logging. Thereafter, we have to narrow down based on the available fields such as Client IP, URI, UserAgent header etc.

From the snippet you shared, it appears the user agent is some .NET SDK and container URL point to ASR, so probably something related to Azure Site Recovery but you have to re-verify that once. Also for the Private IP concern, that could be because of either resource in same region access storage regions and hence the call via internal backbone or some VNET/PE.

Please let me know if there are any further queries/concerns, will be glad to assist.

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Hi @Tommie van Lent

Welcome to Microsoft Q&A Forum. Thanks for posting your query!

In additional to above provided solution by Amrinder Singh, I can also try to investigate what is accessing your Azure Storage account, you can find information in Storage Analytics Logs. Also, you can utilize diagnostic logging which is already enabled as informed in the above. Since you are seeing transactions coming from Private IP address, it is mostly likely that these requests are coming from services within Azure environment, possible it might be from service endpoints.

Please follow below few of the steps which might be helpful to further analyze the issue:

1. Check the logs in your Log Analytics workspace for detailed information about the requests. Look for patterns in the requests, such as the types of operations being performed (e.g., CreateContainer) and the frequency of these requests.
2. Since you mentioned that the Caller IP is a non-existing IP in your VNET, it could indicate that the requests are coming from a service endpoint. You can further investigate the source of these requests by correlating the IP addresses with your Azure resources.
3. Also, you can cross-reference the operations with any existing services or applications that might still be using the storage account. This could include checking for any Azure Functions, Logic Apps, or other services that may have been configured to access the storage.
4. Here, you can also utilize Azure Monitor and Storage Insights to get a comprehensive view of the transaction volume and used capacity of your storage account. This can help you determine if the account is still in use and if it’s safe to delete.
5. Also, check any access policies or shared access signatures (SAS) that may have been created for the storage account, as these could allow other services or applications to access it.

For more additional information, please refer the documents below:

• Best practices for monitoring Azure Blob Storage
• Storage Insights
• Storage Analytics
• Monitor Azure Blob Storage

I hope by following the above instructions helps in resolving the issue.

Please feel free to reach us for any further quires or if the issue still persists. We will be glad to assist you closely.

Please do consider to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.