Azure Automation: Disable Public Access To Private Endpoint

2 minute read

Description:

So one task I wanted to setup after deploying an Automation Account via Terraform was a scheduled task that will run a script nightly. The task will login to Azure, get all Storage Accounts for all subscriptions, and if they have a Private endpoint, disable the “Public Network Access”. This setting is currently in development through the AzureRM provider so I will just run a script until it is completed.

To Resolve:

  1. First, to be clear, just because you create/enable a Private Endpoint (PEP), does not mean that public access is not enabled.
    • I thought so when I first heard about it because of phrasing like eliminating exposure from the public internet from this article.
    • But then I read it was a good idea to disable public access after enabling PEP.
    • Regardless, the takeaway is that enabling PEP adds an option to access the endpoint but doesn’t take away anything on its own.
    • You must go out of your way to disable all other traffic if you wish to restrict access to ONLY go through the PEP.
  2. So this is the runbook I wrote to do just that - It will loop through all subscriptions and if a Storage Account has at least one PEP, it will set it to where all traffic has to go through the PEP :

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    
    Try
    {
       "Logging in to Azure..."
       # https://docs.microsoft.com/en-us/azure/automation/enable-managed-identity-for-automation
       Disable-AzContextAutosave -Scope Process
       $AzureContext = (Connect-AzAccount -Identity).context
       $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext
       "Logging in to Azure...Completed"
    }
    Catch 
    {
       Write-Error -Message $_.Exception
       throw $_.Exception
    }
    
    $Subscriptions = Get-AzSubscription -DefaultProfile $AzureContext
    
    Foreach ( $Subscription in $Subscriptions)
    {
       $CurrentContext = Set-AzContext -Subscription $($Subscription.Name)
       Write-Output "Processing Subscription: $($Subscription.Name)"
       $StorageAccounts = Get-AzStorageAccount -DefaultProfile $CurrentContext
       If ( $StorageAccounts.count -gt 0 )
       {
          Foreach ( $StorageAccount in $StorageAccounts )
          {
             Write-Output "Processing: $($StorageAccount.StorageAccountName)"
             Write-Output "Checking if Storage Account has Private Endpoint Enabled..."
             $PEP = Get-AzPrivateEndpointConnection -PrivateLinkResourceId $($StorageAccount.Id)
    
             If ( $null -eq $PEP )
             {
                Write-Output "Storage account does not have a Private Endpoint, moving on ...."
             }
             Else
             {
                   
                # There may be one or more peps, but we only need the first one to know to disable public network access so we access it via PEP[0]
                $Status = $($PEP[0].PrivateLinkServiceConnectionStateText) | ConvertFrom-Json
    
                If ( ($PEP[0].ProvisioningState -eq "Succeeded") -and ($($Status.Status) -eq "Approved") )
                {
                   Write-Output "Storage Account has Private Endpoint Enabled. Checking if Public Network Access is set to Disabled..."
                   If ( $($StorageAccount.PublicNetworkAccess) -eq "Disabled" )
                   {
                      Write-Output "Storage Account Public Network Access already set to Disabled"
                   }
                   Else
                   {
                      Write-Output "Setting network access to disabled..."
                      Set-AzStorageAccount -ResourceGroupName $($StorageAccount.ResourceGroupName) -Name $($StorageAccount.StorageAccountName) -PublicNetworkAccess "Disabled"
                      Write-Output "Setting network access to disabled...Completed"
                   }
                }
                Else
                {
                   Write-Output "Storage account does have a Private Endpoint, but it may not be approved. Moving on ...."
                }
             }
          }
       }
       Else
       {
          Write-Output "Subscription has no Storage Accounts"
       }
       Write-Output "=========================="
    }