Karishma-Tiwari-MSFT
commented
5 years ago Thanks for the question! We are currently investigating and will update you shortly.
Closed cogran closed 5 years ago
Karishma-Tiwari-MSFT
commented
5 years ago Thanks for the question! We are currently investigating and will update you shortly.
SubhashVasarapu-MSFT
commented
5 years ago @cogran, Appreciate your patience.Looks like it is already mentioned in the document about “Allow all Networks” in the firewall section of storage account.
You can even upvote this feedback in Azure feedback forum. We are closing this issue for now.If there are further questions regarding this matter, please reply and we will gladly continue the discussion.
cogran
commented
5 years ago Sorry for the delayed response -- I guess the conflict exists where Storage Documentation shows that Microsoft.Insights and Microsoft.Network are supported Trusted Microsoft Services. If an NSG is a Microsoft.Network resource and FlowLogs are from Microsoft.Insights, why does Storage say I can use Trusted Microsoft Services but NSG Flow Logs say I cannot? There is an inconsistency.
The description from storage would imply that one of the documents is incorrect.
cogran
commented
5 years ago @SubhashVasarapu-MSFT - Reposting for update after out of office. Sorry for the delayed response -- I guess the conflict exists where Storage Documentation shows that Microsoft.Insights and Microsoft.Network are supported Trusted Microsoft Services. If an NSG is a Microsoft.Network resource and FlowLogs are from Microsoft.Insights, why does Storage say I can use Trusted Microsoft Services but NSG Flow Logs say I cannot? There is an inconsistency.
The description from storage would imply that one of the documents is incorrect and explicit documentation needs to be provided (and collaboration with Storage) to ensure that this exception is called out until it is resolved and fully supported.
TravisCragg-MSFT
commented
5 years ago reopening this issue so that the doc can be updated.
TravisCragg-MSFT
commented
5 years ago @KumudD I have created #30788 to address this change with a note. This ask came from support to clarify the storage firewall requirement.
damendo
commented
5 years ago @TravisCragg-MSFT since the note has been added, can this issue be closed out.
TravisCragg-MSFT
commented
5 years ago @damendo I am fine with closing this, but if you have a timeline for this to be fixed it will be appreciated. I am doing what I can to make this a priority on my end.
@cogran We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.
damendo
commented
4 years ago FYI: This has been added. See https://feedback.azure.com/forums/217313/suggestions/33684529
cogran
commented
4 years ago @damendo - Can you clarify if this roll out now allows both Trusted Microsoft Services AND virtual Network service endpoints for Microsoft.Storage with NSG Flow Logs, or just Trusted Microsoft Services? I did not see an Azure Feedback Forum thread for the VNET Service Endpoints request for an update to be posted on.
damendo
commented
4 years ago @cogran I confirm that this also includes allows Service Endpoints for Microsoft storage to work with NSG Flow Logs. Have updated the public status on the forum.
As NSG Flow Logs are not currently part of the Microsoft/Azure Trusted Services, Allow All Networks must be selected to allow logging to the storage account. Can this prerequisite be added to either this page or Configure NSG Flow Logs pages? Otherwise logs will generate but be blocked by the storage account firewall. Alerts in the portal are not generated and takes quite a bit of digging to figure out why.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.