Azure Automation: Disable Public Access To Private Endpoint
Description:
So one task I wanted to setup after deploying an Automation Account via Terraform was a scheduled task that will run a script nightly. The task will login to Azure, get all Storage Accounts for all subscriptions, and if they have a Private endpoint, disable the “Public Network Access”. This setting is currently in development through the AzureRM provider so I will just run a script until it is completed.
To Resolve:
- First, to be clear, just because you create/enable a Private Endpoint (PEP), does not mean that public access is not enabled.
- I thought so when I first heard about it because of phrasing like
eliminating exposure from the public internetfrom this article. - But then I read it was a good idea to disable public access after enabling PEP.
- Regardless, the takeaway is that enabling PEP adds an option to access the endpoint but doesn’t take away anything on its own.
- You must go out of your way to disable all other traffic if you wish to restrict access to ONLY go through the PEP.
- I thought so when I first heard about it because of phrasing like
-
So this is the runbook I wrote to do just that - It will loop through all subscriptions and if a Storage Account has at least one PEP, it will set it to where all traffic has to go through the PEP :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67
Try { "Logging in to Azure..." # https://docs.microsoft.com/en-us/azure/automation/enable-managed-identity-for-automation Disable-AzContextAutosave -Scope Process $AzureContext = (Connect-AzAccount -Identity).context $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext "Logging in to Azure...Completed" } Catch { Write-Error -Message $_.Exception throw $_.Exception } $Subscriptions = Get-AzSubscription -DefaultProfile $AzureContext Foreach ( $Subscription in $Subscriptions) { $CurrentContext = Set-AzContext -Subscription $($Subscription.Name) Write-Output "Processing Subscription: $($Subscription.Name)" $StorageAccounts = Get-AzStorageAccount -DefaultProfile $CurrentContext If ( $StorageAccounts.count -gt 0 ) { Foreach ( $StorageAccount in $StorageAccounts ) { Write-Output "Processing: $($StorageAccount.StorageAccountName)" Write-Output "Checking if Storage Account has Private Endpoint Enabled..." $PEP = Get-AzPrivateEndpointConnection -PrivateLinkResourceId $($StorageAccount.Id) If ( $null -eq $PEP ) { Write-Output "Storage account does not have a Private Endpoint, moving on ...." } Else { # There may be one or more peps, but we only need the first one to know to disable public network access so we access it via PEP[0] $Status = $($PEP[0].PrivateLinkServiceConnectionStateText) | ConvertFrom-Json If ( ($PEP[0].ProvisioningState -eq "Succeeded") -and ($($Status.Status) -eq "Approved") ) { Write-Output "Storage Account has Private Endpoint Enabled. Checking if Public Network Access is set to Disabled..." If ( $($StorageAccount.PublicNetworkAccess) -eq "Disabled" ) { Write-Output "Storage Account Public Network Access already set to Disabled" } Else { Write-Output "Setting network access to disabled..." Set-AzStorageAccount -ResourceGroupName $($StorageAccount.ResourceGroupName) -Name $($StorageAccount.StorageAccountName) -PublicNetworkAccess "Disabled" Write-Output "Setting network access to disabled...Completed" } } Else { Write-Output "Storage account does have a Private Endpoint, but it may not be approved. Moving on ...." } } } } Else { Write-Output "Subscription has no Storage Accounts" } Write-Output "==========================" }
Comments