I want to avoid exposure of my Azure automation account from the public internet.
According to the documentation this is possible by configuring a private endpoint connection and disable public access (Automation account – Networking – Public access = Disabled)
(https://learn.microsoft.com/en-us/azure/automation/how-to/private-link-security).
Although an azure automation account and the start of runbook jobs is accessible in multiple ways. (https://learn.microsoft.com/en-us/azure/automation/start-runbooks)
Even after the public access is disabled the public API remains publicly available.
API: (PUT - https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}/jobs/{jobName}?api-version=2019-06-01) More info: ( This feels to me like a possible security vulnerability. Can someone please explain:
- How this can be avoided?
- What I am missing here?
- What way to set this up correctly?
I already tried it on multiple tenants and with different configurations but the issue remains the same.
Thanks so much in advance!
Check the following workarounds-
One way is that it can be achieved by creating NSGs associated with VNets and subnets are properly configured.
Once the creation of NSG was configured as per inbound and outbound, traffic got through as shown below.
another way is Role-Based Access Control (RBAC):
Use Azure RBAC to assign appropriate roles to users or groups for the Azure Automation account. If the default roles don't meet your requirements, create custom roles with specific permissions tailored to your needs. Users with assigned roles will have the necessary permission to access the Azure Automation account's APIs.
Once these prerequisites are done by navigating to the automation account and creating a job leads have an API ID with the format.
Note: here we need to replace the
{subscriptionId} , {resourceGroupName} , {automationAccountName}, {jobId}, {apiVersion}