| title | Store Vulnerability Assessment scan results in a storage account accessible behind firewalls and VNets |
|---|---|
| description | Provides instructions on how to store Vulnerability Assessment (VA) scans in a storage account that can be accessed through a firewall or a VNet |
| services | sql-database |
| ms.service | sql-db-mi |
| ms.subservice | security |
| ms.topic | how-to |
| author | barmichal |
| ms.author | mibar |
| ms.reviewer | vanto |
| ms.date | 12/01/2020 |
Store Vulnerability Assessment scan results in a storage account accessible behind firewalls and VNets
[!INCLUDEappliesto-sqldb-sqlmi]
If you are limiting access to your storage account in Azure for certain VNets or services, you'll need to enable the appropriate configuration so that Vulnerability Assessment (VA) scanning for SQL Databases or Managed Instances have access to that storage account.
If you have configured your VA storage account to only be accessible by certain networks or services, you'll need to ensure that VA scans for your Azure SQL Database are able to store the scans on the storage account. To find out which storage account is being used, go to your SQL server pane in the Azure portal, under Security, select Security Center.
:::image type="content" source="../database/media/azure-defender-for-sql/va-storage.png" alt-text="set up vulnerability assessment":::
You can use the existing storage account, or create a new storage account to store VA scan results for all databases on your logical SQL server.
Go to your Resource group that contains the storage account and access the Storage account pane. Under Settings, select Firewall and virtual networks.
Ensure that Allow trusted Microsoft services access to this storage account is checked.
:::image type="content" source="media/sql-database-vulnerability-assessment-storage/storage-allow-microsoft-services.png" alt-text="Screenshot shows Firewall and virtual networks dialog box, with Allow trusted Microsoft services to access this storage account selected.":::
Store VA scan results for Azure SQL Managed Instance in a storage account that can be accessed behind a firewall or VNet
Since Managed Instance is not a trusted Microsoft Service and has a different VNet from the storage account, executing a VA scan will result in an error.
To support VA scans on Managed Instances, follow the below steps:
-
In the SQL managed instance pane, under the Overview heading, click the Virtual network/subnet link. This takes you to the Virtual network pane.
:::image type="content" source="../managed-instance/media/public-endpoint-configure/mi-overview.png" alt-text="mi-overview2":::
-
Under Settings, select Subnets. Click Subnet in the new pane to add a subnet, and delegate it to Microsoft.sql\managedInstance. For more information, see Manage subnets.
:::image type="content" source="media/sql-database-vulnerability-assessment-storage/mi-subnets.png" alt-text="Screenshot shows a subnet that has been delegated Microsoft.sql\managedInstance.":::
-
In your Virtual network pane, under Settings, select Service endpoints. Click Add in the new pane, and add the Microsoft.Storage Service as a new service endpoint. Make sure the ManagedInstance Subnet is selected. Click Add.
:::image type="content" source="media/sql-database-vulnerability-assessment-storage/mi-service-endpoint.png" alt-text="Screenshot shows Add service endpoints, where you add the Microsoft.Storage Service as an endpoint.":::
-
Go to your Storage account that you've selected to store your VA scans. Under Settings, select Firewall and virtual networks. Click on Add existing virtual network. Select your managed instance virtual network and subnet, and click Add.
:::image type="content" source="media/sql-database-vulnerability-assessment-storage/storage-firewall.png" alt-text="Screenshot shows the Firewalls and virtual networks pane, which contains the Add existing virtual network link.":::
You should now be able to store your VA scans for Managed Instances in your storage account.