Network restrictions on Azure Storage Account not working

[aristosvo]

When we installed Velero with the Velero plugin for Azure on our AKS cluster in the first place, we didn't restrict our storage on AKS outbound IP, as it was just an experiment.

After this experiment we tried to improve security by restricting to only the outbound IP of our AKS cluster. This doesn't seem to work. AKS documentation refers to account access here, but I didn't expect Velero to have the same problem as it runs on the worker nodes.

Any other experiences and/or how to mitigate it?

[ashish-amarnath]

@aristosvo I am not super familiar with the network restrictions here. But to troubleshoot this, can you please share more details on the error that you saw? Also, any documentation that you can point us to try this ourselves will be useful to make suggestions.

[aristosvo]

Hi @ashish-amarnath ! I have found the problem and will try to find the time to write down the possible solutions for users of Velero with AKS to secure the storage account in the best possible ways after I've implemented it myself.

If you prefer to investigate it yourself, this is the issue (with config) on AKS and the provided solution

[aristosvo]

@ashish-amarnath Where should I put this kind of information? Is there a docs section where I can put this?

[nrb]

@aristosvo I think the best place for that information right now is in the Azure plugin's README.

[a-mccarthy]

To try and summarize here, if you are using AKS and an Azure Storage account in the same region, you need to use VNET Service Endpoints, as noted in this issue comment

The network restriction option where you whitelist the public IP isn't working, when both resources are in the same region. As the traffic is handled internally in the region itself and never leaves the network via the outbound public IP.

As Nolan mentioned, the best place for this information is on our Azure Plugin's README

@aristosvo are you still able to help update the docs for this?

[aristosvo]

@a-mccarthy Thanks for notifying! I'm on it, will open an PR in a minute.

The only update on your summary would be:

if you are using AKS and an Azure Storage account with no public access enabled in the same region, you need to use VNET Service Endpoints

[aristosvo]

@a-mccarthy If you have any feedback: thanks in advance!

I'm not sure whether I should include step-by-step instructions or not.

[eleanor-millman]

Closing because fix merged in.