azurenetwork-programmingterraformendpointprivate-subnet

How to check if Azure subnet's Microsoft.Storage service endpoint is currently used


As stated in the question, I would like to know how to check whether Microsoft.Storage service endpoint in a private subnet is necessary or currently being used. We have some resources that were created a long time ago, and we don't understand why the prod environment has this setting enabled while the non-prod doesn't. Both subnets contain storage, key vaults, and so on. However, the non-production environment has an empty list for this setting, and still works perfectly fine.

In our Terraform configuration, the subnet resource is formulated as follows (just a snippet):

resource "azurerm_subnet" "snet" {
  provider                                       = xxx
  resource_group_name                            = var.rg_name
  name                                           = format("snet-%s", var.env)
  virtual_network_name                           = azurerm_virtual_network.vnet.name
  address_prefixes                               = [xxx]
  enforce_private_link_endpoint_network_policies = xxx
  enforce_private_link_service_network_policies  = xxx
  service_endpoints                              = var.env == "prod" ? ["Microsoft.Storage"] : []
  depends_on = [azurerm_virtual_network.vnet]
}

Can I resolve this question using the Azure Portal, Terraform, or Azure CLI? To view this property on the Azure Portal, I navigate through: virtual network -> subnets -> service endpoints. Then I get this window:

service endpoints settings in a subnet

Side note: removing the property and waiting whether prod goes down or not is not an option


Solution

  • Here I tried to produce the Azure subnet's Microsoft.Storage service endpoint both in production and non-production cases and I was able to understand the difference between both.

    Production state:

    My main.tf as follows

    provider  "azurerm" {
    
    features {}
    
    subscription_id  =  ""
    
    client_id  =  ""
    
    tenant_id  =  ""
    
    client_secret  =  ""
    
    }
    
      
    
    variable  "env" {
    
    description  =  "Environment"
    
    type  =  string
    
    default  =  "prod"
    
    }
    
      
    
    resource  "azurerm_resource_group"  "example" {
    
    name  =  "v-bolliv-rg"
    
    location  =  "Eastus"
    
    }
    
      
    
    resource  "azurerm_virtual_network"  "example" {
    
    name  =  "Demovk-vnet"
    
    address_space  =  [""]
    
    location  =  azurerm_resource_group.example.location
    
    resource_group_name  =  azurerm_resource_group.example.name
    
    }
    
    
    resource  "azurerm_subnet"  "snet" {
    
    provider  =  azurerm
    
    resource_group_name  =  azurerm_resource_group.example.name
    
    name  =  format("snet-%s", var.env)
    
    virtual_network_name  =  azurerm_virtual_network.example.name
    
    address_prefixes  =  [""]
    
    enforce_private_link_endpoint_network_policies  =  "true"
    
    enforce_private_link_service_network_policies  =  "true"
    
    service_endpoints  = var.env  ==  "prod"  ? ["Microsoft.Storage"] : []
    
    depends_on  =  [azurerm_virtual_network.example]
    
    }
    

    Here in the first instance, I tried to replicate the service end point under the production condition where we are able to provision the service end point in the succeed state.

    enter image description here

    service_endpoints  = var.env  ==  "prod"  ? ["Microsoft.Storage"] : []
    
    1. The var.env == "prod" condition checks if the value of the variable var.env is equal to the string "prod".

    2. If the condition evaluates to true, the value assigned to service_endpoints will be ["Microsoft.Storage"], which is an array with a single element, "Microsoft.Storage".

    3. If the condition evaluates to false, the value assigned to service_endpoints will be an empty array [].

    Here the variable passed was when the code runs in production environment it creates the service at Microsoft.Storage. Which in general used to store "Microsoft.Storage" service endpoint is included in the service_endpoints array to grant access to the Azure Storage service. By including this service endpoint, the associated resources (such as storage accounts and containers) can be accessed and utilized within the defined environment (in this case, the "prod" environment). It enables the application or infrastructure to interact with and leverage the capabilities provided by Azure Storage for storing and managing data in the cloud.

    Non-Production State:

    For the var input other than prod the terraform will not provision the service "Microsoft.Storage" which in general will not access any of the data available.

    enter image description here

    So as per the query asked when the code runs under production environment the storage data will be captured using the module mentioned. Other than production (non-production or any other environment/Blank) then data will not be captured.

    Regarding the last query you asked its totally depends on your requirements for data backups. If you consider this backup helpful you can continue or else it's your choice.