#Allow AvePoint Agent Servers to Access Your Storage Account

If you are using or plan to use your own storage device, read the instructions in this section carefully and complete the settings upon your need. Otherwise, you can skip this topic.

When you are using your own storage device, you may have set up the storage firewall to only allow trusted clients for security concerns. To ensure that AvePoint Online Services can access your storage, complete the settings as required in the following conditions:

*Note: If you are using a trial subscription and the storage account you want to use in the trial has a firewall enabled, read the conditions below and contact AvePoint Support for the corresponding reserved IP addresses or ARM VNet IDs.

#Add Reserved IP Addresses

Follow the steps below:

1. Navigate to AvePoint Online Services > Administration > Security > Reserved IP addresses to download the list of reserved IP addresses of AvePoint Online Services. For details, refer to Download a List of Reserved IP Addresses.

2. Go to the storage account that you want to secure.

3. Select Networking on the menu.

4. Check that you’ve selected to allow access from Selected networks.

5. Enter the IP address or address range under Firewall > Address Range.

6. Select Save to apply your changes.

#Add ARM Virtual Networks

You can refer to Download ARM VNet IDs to get the VNet IDs for your data center. There are two ways to add ARM virtual networks:

#Use the Azure CLI Tool

1. Step 1 (Optional): If you have multiple Azure subscriptions, please switch to the correct subscription

   This command sets the active subscription to the specified subscription ID.

   az account set --subscription xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy

2. Step 2 (Optional): Confirm whether the subscription switch is correct

   This command displays the current subscription information in a table format.

   az account show --output table

3. Step 3: Get the AvePoint Online Services network subnet resource ID

   This variable stores the resource ID of the subnet in the virtual network.

   Replace with the Azure Resource Manager (ARM) VNet ID downloaded from your AvePoint Online Services tenant.

   $SUBNETID="/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy/resourceGroups/ResourceGroupName/providers/Microsoft.Network/virtualNetworks/VirtualNetworkName/subnets/SubnetName"

4. Step 4: Set your resource group name

   This variable stores the name of the resource group where your storage account is located.

   $DESTRG="customer_resource_group_name"

5. Step 5: Set your storage account name

   This variable stores the name of the storage account to which you want to add the network rule.

   $DESTSTA="customer_storage_account_name"

6. Step 6: Add the firewall virtual network rule to grant access to AvePoint Online Services

   This command adds a network rule to the specified storage account, allowing access from the specified subnet.

   az storage account network-rule add --resource-group $DESTRG --account-name $DESTSTA --subnet $SUBNETID

7. Step 7: List the current network rules for the storage account to verify the addition

   This command lists the virtual network rules for the specified storage account.

   az storage account network-rule list --resource-group $DESTRG --account-name $DESTSTA --query virtualNetworkRules

8. Step 8 (Optional): Disable the public access to storage account

   This command updates the storage account to deny public network access.

   az storage account update --resource-group $DESTRG --name $DESTSTA --default-action Deny

9. Step 9 (Optional): Verify that the default action for network rules is set to Deny

   This command shows the network rule set for the specified storage account, including the default action.

   az storage account show --resource-group $DESTRG --name $DESTSTA --query networkRuleSet.defaultAction

#Use the Azure Az PowerShell

1. Step 1: Sign in to Azure with your Azure Admin account

   Connect-AzAccount

2. Step 2 (Optional): If you have multiple Azure subscriptions, please switch to the correct subscription

   This command sets the active subscription to the specified subscription ID.

   Set-AzContext -SubscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy"

3. Step 3: Get the AvePoint Online Services network subnet resource ID

   This variable stores the resource ID of the subnet in the virtual network.

   Replace with the Azure Resource Manager (ARM) VNet ID downloaded from your AvePoint Online Services tenant.

   $SUBNETID="/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy/resourceGroups/ResourceGroupName/providers/Microsoft.Network/virtualNetworks/VirtualNetworkName/subnets/SubnetName"

4. Step 4: Set resource group name

   This variable stores the name of the resource group where your storage account is located.

   $DESTRG="customer_resource_group_name"

5. Step 5: Set storage account name

   This variable stores the name of the storage account to which you want to add the network rule.

   $DESTSTA="customer_storage_account_name"

6. Step 6: Add the firewall virtual network rule to grant access to AvePoint Online Services

   This cmdlet adds a network rule to the specified storage account, allowing access from the specified subnet.

   Add-AzStorageAccountNetworkRule -ResourceGroupName $DESTRG -Name $DESTSTA -VirtualNetworkResourceId $SUBNETID

7. Step 7: Verify the newly added network rule

   This cmdlet retrieves the network rule set for the specified storage account.

   Get-AzStorageAccountNetworkRuleSet -ResourceGroupName $DESTRG -AccountName $DESTSTA

You will see the virtual network rules in Azure Portal, as the screenshot below shows. You may also notice that a warning message “Insufficient Permission…” is displayed. It is because the subnet is not in your subscription. You can ignore it.