SRE storage account ACL bug when deployed from Azure VM

[mattwestby]

When deploying the SRE from an azure VM the following error is received;

The VM is unable to connect to the storage accounts even though there is whitelisting on the storage account because the traffic is being routed over the azure backbone instead of going over the internet. Azure does not allow whitelisting of internal ip addresses on storage accounts.

[JimMadge]

Possibly related to #2197 and #2184.

As with those, if this is something outside of our control (Azure traffic routing) we may want to add a note to the documentation and make sure there are other container/virtual deployment methods we can support.

[jemrobinson]

1. Does the Azure VM have a public IP address?
2. Have you added that public IP address to the list of admin_ip_addresses?
3. Can you confirm which IP address is being blocked by the storage account?

[mattwestby]

1. No the Azure VM doesn’t have a public IP only internal 2. No 3. When I add the vnet that the azure vm sits on then I can access the storage account. From: James Robinson ***@***.***> Sent: 26 September 2024 09:01 To: alan-turing-institute/data-safe-haven ***@***.***> Cc: Matthew Westby (staff) ***@***.***>; Author ***@***.***> Subject: Re: [alan-turing-institute/data-safe-haven] SRE storage account ACL bug when deployed from Azure VM (Issue #2203) 1. Does the Azure VM have a public IP address? 2. Have you added that public IP address to the list of admin_ip_addresses? 3. Can you confirm which IP address is being blocked by the storage account? — Reply to this email directly, view it on GitHub<#2203 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AVWWA2N6IPE3MQKHOSQ3A4LZYO5MZAVCNFSM6AAAAABO2GCPLSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZWGIYTINZWGE>. You are receiving this because you authored the thread.Message ID: ***@***.***> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please contact the sender and delete the email and attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. Email communications with the University of Nottingham may be monitored where permitted by law.

[jemrobinson]

If you add a public IP address then Azure-to-Azure requests should show as coming from this public address which can be added to your allow list.

[JimMadge]

May also need to look at the settings we have available for routing from the deployment machine if it is hosted on Azure. E.g.

[mattwestby]

Think that particular setting is only available on PaaS resources?

[jemrobinson]

Think that particular setting is only available on PaaS resources?

It's a setting on the storage account.

[JimMadge]

I can't see a similar setting for NICs. It is worth trying but I'm not sure whether the problem is where the request is sent from rather than with the storage account.

In general, Azure routing (or re-routing) traffic internally is great idea for speed/efficiency but it does cause us problems here.