Enabling Storage Account access to virtual networks in other regions

@20aman    Jan 03, 2022

Within Azure Storage Accounts, the Service endpoints work with the virtual networks in the same region or the paired regions. You can extend this functionality to virtual networks in other regions by enabling the AllowGlobalTagsForStorage feature for your subscription.

Enabling the feature

You can enable the feature by running the below script. This essentially uses the "Register-AzProviderFeature" cmdlet to register the feature named "AllowGlobalTagsForStorage".

$subscriptionName = "Your-Subscription-Name"

#Adding Azure Account and Subscription
$env = Get-AzEnvironment -Name "AzureCloud"
Connect-AzAccount -Environment $env
Set-AzContext -SubscriptionName $subscriptionName

#Registering or Enabling the feature
Register-AzProviderFeature -ProviderNamespace Microsoft.Network -FeatureName AllowGlobalTagsForStorage

Caveats

If you registered the AllowGlobalTagsForStorage feature, and you want to enable access to your storage account from a virtual network/subnet in another Azure AD tenant, or in a region other than the region of the storage account or its paired region, then you must use PowerShell or the Azure CLI. The Azure portal does not show subnets in other Azure AD tenants or in regions other than the region of the storage account or its paired region, and hence cannot be used to configure access rules for virtual networks in other regions.

Reference: Configure Azure Storage firewalls and virtual networks





Comments powered by Disqus