01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list
--query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[
"abcdabcd-1234-abcd-1234-abcdabcdabcd",
"abcd1234-abcd-1234-abcd-abcd1234abcd"
]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set
--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run storage account update command (Windows/macOS/Linux) with the name of the Azure Storage account that you want to configure as the identifier parameter, to restrict default network access to the selected Storage account:
az storage account update
--name project5storageaccount
--default-action Deny
05 The command output should return the information available for the modified Storage account:
{
"accessTier": "Hot",
"accountMigrationInProgress": null,
"allowBlobPublicAccess": false,
"allowCrossTenantReplication": false,
"allowSharedKeyAccess": true,
"allowedCopyScope": null,
"azureFilesIdentityBasedAuthentication": null,
"blobRestoreStatus": null,
"creationTime": "2025-03-02T10:00:00.415155+00:00",
"customDomain": null,
"defaultToOAuthAuthentication": false,
"dnsEndpointType": "Standard",
"enableExtendedGroups": null,
"enableHttpsTrafficOnly": true,
"enableNfsV3": null,
"encryption": {
"encryptionIdentity": null,
"keySource": "Microsoft.Storage",
"keyVaultProperties": null,
"requireInfrastructureEncryption": false,
"services": {
"blob": {
"enabled": true,
"keyType": "Account",
"lastEnabledTime": "2025-03-02T10:00:00.587034+00:00"
},
"file": {
"enabled": true,
"keyType": "Account",
"lastEnabledTime": "2025-03-02T10:00:00.587034+00:00"
},
"queue": null,
"table": null
}
},
"extendedLocation": null,
"failoverInProgress": null,
"geoReplicationStats": null,
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/project5storageaccount",
"identity": null,
"immutableStorageWithVersioning": null,
"isHnsEnabled": null,
"isLocalUserEnabled": null,
"isSftpEnabled": null,
"isSkuConversionBlocked": null,
"keyPolicy": null,
"kind": "StorageV2",
"largeFileSharesState": "Enabled",
"lastGeoFailoverTime": null,
"location": "westeurope",
"minimumTlsVersion": "TLS1_2",
"name": "project5storageaccount",
"networkRuleSet": {
"bypass": "AzureServices",
"defaultAction": "Deny",
"ipRules": [],
"ipv6Rules": [],
"resourceAccessRules": null,
"virtualNetworkRules": []
},
"primaryLocation": "westeurope",
"privateEndpointConnections": [],
"provisioningState": "Succeeded",
"publicNetworkAccess": "Enabled",
"resourceGroup": "cloud-shell-storage-westeurope",
"routingPreference": null,
"sasPolicy": null,
"secondaryEndpoints": null,
"secondaryLocation": null,
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"statusOfPrimary": "available",
"statusOfSecondary": null,
"storageAccountSkuConversionStatus": null,
"tags": {},
"type": "Microsoft.Storage/storageAccounts"
}
06 Now that the default network rule is configured to deny all access to your Storage account, you have to configure the network rule in order to grant access from your allowed networks only. As an example, the following configuration grants access to a specific on-premise network, while blocking general Internet traffic. To grant access from your on-premise network only, run storage account network-rule add command (Windows/macOS/Linux) to add a new network rule for an IP address range (e.g., 15.16.17.0/24). For more details, see Limit Storage Account Access by IP Address:
az storage account network-rule add
--account-name project5storageaccount
--ip-address 15.16.17.0/24
--query 'networkRuleSet.ipRules'
07 The command output should return the information available for the new IP rule:
[
{
"action": "Allow",
"ipAddressOrRange": "15.16.17.0/24"
}
]
08 To secure your Azure Storage account with an Azure Virtual Network (VNet), run storage account network-rule add command (Windows/macOS/Linux) to add a new network rule for for the specified VNet subnet:
az storage account network-rule add
--account-name project5storageaccount
--vnet-name cc-project5-vnet
--subnet cc-project5-vnet-subnet-001
--query 'networkRuleSet.virtualNetworkRules'
09 The command output should return the information available for the new network rule:
[
{
"action": "Allow",
"state": "Succeeded",
"virtualNetworkResourceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet/subnets/cc-project5-vnet-subnet-001"
}
]
10 Repeat steps no. 4 - 9 for each Storage account that you want to configure, available in the selected Azure subscription.
11 Repeat steps no. 3 – 10 for each subscription available in your Microsoft Azure cloud account.