Configuring Storage Account Access for Selected Virtual Networks and IP Addresses

This document outlines the steps to configure an Azure Storage Account to allow access only from selected virtual networks and IP addresses and to assign the appropriate role to a Synapse workspace.

Steps to Configure Access:

1. Enable Access from Selected Virtual Networks and IP Addresses

1. Navigate to the Storage Account:

• Go to the Azure Portal.

• Select Storage Accounts from the services list.

• Click on the desired storage account to configure.

1. Set Network Access Configuration:

• In the left-hand menu, click on Networking.

• Under the Firewalls and Virtual Networks section:

  • Locate the Public network access setting.

  • Select Enabled from selected virtual networks and IP addresses.

1. Add Client IP Addresses:

• Scroll down to the IP network rules section.

• Add the respective client IP addresses that should have access to the storage account.

• Click Save to apply the changes.

2. Assign Role to Synapse Workspace

1. Navigate to Access Control (IAM):

• Select Access Control (IAM) from the left-hand blade in the storage account menu.

1. Add Role Assignment:

• Click +Add → Add role assignment.

• In the Role field, search for Storage Blob Data Contributor and select it.

• Click Next.

1. Select Managed Identity:

• MembersUnder Assign access to, select Managed Identity.

• Click Select Members.

1. Choose Synapse Workspace:

• In the Managed Identity blade, locate and select your Synapse workspace from the list of available identities.

• Once selected, click Select.

1. Review and Assign:

• Click Next twice to review the assignment.

• Confirm the details and click Review + Assign to complete the role assignment.

Verification

1. Test the storage account access from the listed virtual networks and IP addresses.

2. Verify that the Synapse workspace has the appropriate permissions by accessing the Storage Blob data.