Other Articles
- SQL Database – Enable Database Encryption
- SQL Server – Enable SQL Defender
- SQL Database – Monitor CPU Utilization
- SQL Database – Monitor IO Utilization
- SQL Database – Monitor Memory Utilization
- SQL Database – Protect From Direct Internet Traffic
- Storage Account – Enable Storage Encryption
- Storage Account – Disable Blob Public Access
- Storage Account – Disable Cross-Tenant Replication
- Storage Account – Disable Public Network Access
- Storage Account – Enable Microsoft Defender
- Storage Account – Enable Secure Transfer
- Storage Account – Enforce Minimum TLS Version
- Storage Account – Enforce Network Access Rule
- User – Enable Azure MFA
- App Service – Disable Remote Debugging
- App Service – Enable Defender
- App Service – Enable Entra ID Registration
- App Service – Enable HTTP2
- App Service – Enforce Latest TLS Version
- App Service – Enforce Secure FTPS State
- App Service – Monitor Server Errors
- App Service – Redirect HTTP to HTTPS
- Cosmos DB – Enable Backup
- Cosmos DB – Enable Microsoft Defender
- Cosmos DB – Monitor Latency
- Cosmos DB – Ensure Private Connectivity
- Cosmos DB for PostgreSQL – Monitor CPU Utilization
- Cosmos DB for PostgreSQL – Monitor IO Utilization
- Cosmos DB for PostgreSQL – Monitor Memory Utilization
- Cosmos DB for PostgreSQL – Protect From Direct Internet Traffic
- Cosmos DB – Protect From Direct Internet Traffic
- Cosmos DB – Restrict Firewall Network Access
- Virtual Machine – Enable Defender
- Virtual Machine – Protect From Direct Internet Traffic
- Key Vault – Enable Defender
- Key Vault – Ensure Vault Recoverable
- Key Vault – Require Private Endpoint Access
- MySQL Flexible Server – Enable Audit Log Events Connection
- MySQL Flexible Server – Enable Audit Logs
- MySQL Flexible Server – Enforce Minimum TLS Version
- PostgreSQL Flexible Server – Configure Log File Retention
- PostgreSQL Flexible Server – Enable Connection Logging
- PostgreSQL Flexible Server – Enable Connection Throttling
- PostgreSQL Flexible Server – Enable Disconnection Logging
- PostgreSQL Flexible Server – Enable Log Checkpoints
- Network Security Group – Ensure Flow Logs Captured
- General – Enable Auto Provisioning Log Analytics
- General – Enable Security Notifications
- General – Set Additional Email Address
Storage Account – Enforce Private Endpoint Access
This check ensures that Azure Storage Accounts are accessible only through private endpoints within a virtual network. Enforcing private endpoint access prevents exposure of storage services over the public internet and enhances network-level security.
Check Details
- Resource: Storage Account
- Check: Enforce Private Endpoint Access
- Risk: If public network access is enabled, storage accounts may be reachable from the internet, increasing the risk of unauthorized access and data exfiltration.
Remediation via Azure Portal
-
Log in to the Azure Portal.
-
Navigate to Storage Accounts and select the target
storage account.
-
From the left menu, go to Networking under
Security + networking.
- Under Public network access, select Disabled.
-
Scroll to Private endpoints and click
+ Create private endpoint.
-
Complete the private endpoint creation by providing instance details:
- Click Save to apply the changes.
Remediation via Azure CLI
-
Open Azure Cloud Shell.
-
Disable public network access for the storage account:
az storage account update \ --name <storage-account-name> \ --resource-group <resource-group-name> \ --public-network-access Disabled
-
Create a private endpoint for the storage account:
az network private-endpoint create \ --name <private-endpoint-name> \ --resource-group <resource-group-name> \ --vnet-name <vnet-name> \ --subnet <subnet-name> \ --private-connection-resource-id <storage-account-resource-id> \ --group-id blob \ --connection-name storagePrivateConnection
These steps ensure that the storage account is accessible only through private endpoints within a trusted virtual network, preventing exposure to the public internet.