ArcGIS Enterprise on Kubernetes now uses private endpoints to access blob stores (see #133), therefore the public endpoints can be disabled.
Disabling the public endpoints for the storage accounts is tricky, because this blocks access to the endpoints for Terraform from GitHub Actions runners. In particular, Terraform cannot create blob containers once the network access to the blob store endpoint is blocked.
Possible workarounds:
Configure firewalls for the storage accounts with exceptions for the GitHub Actions IP addresses. This is not an ideal solution because this allows access to the storage accounts to any GitHub Actions workflow.
Create blob containers in ArcGIS Enterprise Admin CLI pod running in AKS cluster before creating an organization and registering backup stores. This requires granting the AKS cluster identity permissions to create blob containers and makes ArcGIS Enterprise Admin CLI dependent on Azure SDK for Python. Ideally, all the Azure infrastructure management should by done by Terraform.
Hack the Terraform modules to enable public network access to the storage account before creating/describing the blob containers and disable it after the container are created. This hack could have unpredictable side effects.
Ask users to disable public network access manually. That will make subsequent Terraform executions fail when Terraform tries to retrieve state of the blob containers.
ArcGIS Enterprise on Kubernetes now uses private endpoints to access blob stores (see #133), therefore the public endpoints can be disabled.
Disabling the public endpoints for the storage accounts is tricky, because this blocks access to the endpoints for Terraform from GitHub Actions runners. In particular, Terraform cannot create blob containers once the network access to the blob store endpoint is blocked.
Possible workarounds: