--- title: Store Vulnerability Assessment scan results in a storage account accessible behind firewalls and VNets description: "Provides instructions on how to store Vulnerability Assessment (VA) scans in a storage account that can be accessed through a firewall or a VNet" services: sql-database ms.service: sql-db-mi ms.subservice: security ms.topic: conceptual author: barmichal ms.author: mibar ms.reviewer: vanto ms.date: 09/21/2020 --- # Store Vulnerability Assessment scan results in a storage account accessible behind firewalls and VNets [!INCLUDE[appliesto-sqldb-sqlmi](../includes/appliesto-sqldb-sqlmi.md)] If you are limiting access to your storage account in Azure for certain VNets or services, you'll need to enable the appropriate configuration so that Vulnerability Assessment (VA) scanning for SQL Databases or Managed Instances have access to that storage account. ## Enable Azure SQL Database VA scanning access to the storage account If you have configured your VA storage account to only be accessible by certain networks or services, you'll need to ensure that VA scans for your Azure SQL Database are able to store the scans on the storage account. To find out which storage account is being used, go to your **SQL server** pane in the [Azure portal](https://portal.azure.com), under **Security**, select **Security center**. You can use the existing storage account, or create a new storage account to store VA scan results for all databases on your [logical SQL server](logical-servers.md). Go to your **Resource group** that contains the storage account and access the **Storage account** pane. Under **Settings**, select **Firewall and virtual networks**. Ensure that **Allow trusted Microsoft services access to this storage account** is checked. :::image type="content" source="media/sql-database-vulnerability-assessment-storage/storage-allow-microsoft-services.png" alt-text="Screenshot shows Firewall and virtual networks dialog box, with Allow trusted Microsoft services to access this storage account selected."::: ## Store VA scan results for Azure SQL Managed Instance in a storage account that can be accessed behind a firewall or VNet Since Managed Instance is not a trusted Microsoft Service and has a different VNet from the storage account, executing a VA scan will result in an error. To support VA scans on Managed Instances, follow the below steps: 1. In the **SQL managed instance** pane, under the **Overview** heading, click the **Virtual network/subnet** link. This takes you to the **Virtual network** pane. :::image type="content" source="../managed-instance/media/public-endpoint-configure/mi-overview.png" alt-text="mi-overview2"::: 1. Under **Settings**, select **Subnets**. Click **Subnet** in the new pane to add a subnet, and delegate it to *Microsoft.sql\managedInstance*. For more information, see [Manage subnets](../../virtual-network/virtual-network-manage-subnet.md). :::image type="content" source="media/sql-database-vulnerability-assessment-storage/mi-subnets.png" alt-text="Screenshot shows a subnet that has been delegated Microsoft.sql\managedInstance."::: 1. In your **Virtual network** pane, under **Settings**, select **Service endpoints**. Click **Add** in the new pane, and add the *Microsoft.Storage* Service as a new service endpoint. Make sure the *ManagedInstance* Subnet is selected. Click **Add**. :::image type="content" source="media/sql-database-vulnerability-assessment-storage/mi-service-endpoint.png" alt-text="Screenshot shows Add service endpoints, where you add the Microsoft.Storage Service as an endpoint."::: 1. Go to your **Storage account** that you've selected to store your VA scans. Under **Settings**, select **Firewall and virtual networks**. Click on **Add existing virtual network**. Select your managed instance virtual network and subnet, and click **Add**. :::image type="content" source="media/sql-database-vulnerability-assessment-storage/storage-firewall.png" alt-text="Screenshot shows the Firewalls and virtual networks pane, which contains the Add existing virtual network link."::: You should now be able to store your VA scans for Managed Instances in your storage account. ## Next steps - [Vulnerability Assessment](sql-vulnerability-assessment.md) - [Create an Azure Storage account](../../storage/common/storage-account-create.md) - [Azure Defender for SQL](azure-defender-for-sql.md)