Use the Knowledge Base AI to help improve your Cloud Posture

Restrict Default Network Access for Storage Accounts

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-007

Ensure that your Microsoft Azure Storage accounts are configured to deny access to traffic from all networks (including Internet traffic). By restricting default network access to your Storage accounts, you add a new layer of security, since the default action is to accept connections from clients on any network. To limit access to selected networks or IP addresses, you must first change the default action from "Allow" to "Deny".

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

The access to your Azure Storage accounts should be granted to specific Virtual Networks (VNets), which allows a secure network boundary for specific applications, or to public IP address ranges, which can enable connections from specific Internet services or on-premises clients. When network rules are configured, only applications from allowed networks or IPs can access your storage resources. When requesting access from an allowed network and/or IP address, a client/application should provide proper authorization, i.e., a valid access key or a Shared Access Signatures (SAS) token, to access your Storage account.

Making changes to the network rules can impact your applications' ability to connect to the Azure Storage account. Make sure to grant access to any allowed networks using network rules or IP ranges using firewalls, before you change the default rule in order to deny access.


Audit

To determine if the default network access is restricted for your Azure Storage accounts, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Storage account, and choose Apply to list only the Storage accounts available in the selected Azure subscription.

05 Click on the name (link) of the Azure Storage account that you want to examine.

06 In the resource navigation panel, under Security + networking, choose Networking to access the networking settings available for the selected Storage account.

07 Select the Firewalls and virtual networks tab and check the Public network access setting to determine if public access is configured for the selected resource. If Public network access is set to Enabled from all networks, all networks, including the Internet, can access the selected Microsoft Azure Storage account. Therefore, the default network access configuration is not compliant.

08 Repeat steps no. 5 – 7 for each Azure Storage account available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage account list command (Windows/macOS/Linux) with custom output filters to describe the name of each Azure Storage account available in the selected subscription:

az storage account list
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--query '[*].name'

05 The command output should return the requested resource identifiers (names):

[
	"project5storageaccount",
	"prodstorageaccount",
	"mediastorageaccount"
]

06 Run storage account show command (Windows/macOS/Linux) with the name of the Azure Storage account that you want to examine as the identifier parameter and custom output filters to get the default network access rule configuration for the selected Storage account:

az storage account show
	--name project5storageaccount
	--query 'networkRuleSet.defaultAction'

07 The command output should return the action configured for the default network access rule:

"Allow"

If the command output returns "Allow", as shown in the example above, all networks, including the Internet, can access the selected Microsoft Azure Storage account. As a result, the default network access configuration is not compliant.

08 Repeat steps no. 6 and 7 for each Azure Storage account available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To restrict default network access to your Microsoft Azure Storage accounts, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Storage account, and choose Apply to list only the Storage accounts available in the selected Azure subscription.

05 Click on the name (link) of the Azure Storage account that you want to configure.

06 In the resource navigation panel, under Security + networking, choose Networking to access the networking settings available for the selected Storage account.

07 Select the Firewalls and virtual networks tab, set Public network access to Enabled from selected virtual networks and IP addresses, and perform the following actions:

  1. To secure your Storage account with an Azure Virtual Network (VNet), choose + Add existing virtual network or + Add new virtual network from the Virtual networks section to attach an existing Virtual Network or to create and attach a new one.
  2. To add one or more trusted, authorized IPv4 addresses/IP ranges to the Address range list, type the IP address/CIDR in the IP address or CIDR box, in the Firewall section. You can also add your client IP address to the Address range list. For more details, see Limit Storage Account Access by IP Address.
  3. For Resource instances, you can specify resource instances that will have access to your Storage account based on their system-assigned managed identity.
  4. To configure network access exceptions, use the options available in the Exceptions section.

08 Choose Save to apply the configuration changes. Note that the firewall settings that allow access to storage resources will remain in effect for up to a minute after saving the updated settings for restricting access.

09 Repeat steps no. 5 - 8 for each Azure Storage account that you want to configure, available within the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage account update command (Windows/macOS/Linux) with the name of the Azure Storage account that you want to configure as the identifier parameter, to restrict default network access to the selected Storage account:

az storage account update
	--name project5storageaccount
	--default-action Deny

05 The command output should return the information available for the modified Storage account:

{
	"accessTier": "Hot",
	"accountMigrationInProgress": null,
	"allowBlobPublicAccess": false,
	"allowCrossTenantReplication": false,
	"allowSharedKeyAccess": true,
	"allowedCopyScope": null,
	"azureFilesIdentityBasedAuthentication": null,
	"blobRestoreStatus": null,
	"creationTime": "2025-03-02T10:00:00.415155+00:00",
	"customDomain": null,
	"defaultToOAuthAuthentication": false,
	"dnsEndpointType": "Standard",
	"enableExtendedGroups": null,
	"enableHttpsTrafficOnly": true,
	"enableNfsV3": null,
	"encryption": {
		"encryptionIdentity": null,
		"keySource": "Microsoft.Storage",
		"keyVaultProperties": null,
		"requireInfrastructureEncryption": false,
		"services": {
			"blob": {
				"enabled": true,
				"keyType": "Account",
				"lastEnabledTime": "2025-03-02T10:00:00.587034+00:00"
			},
			"file": {
				"enabled": true,
				"keyType": "Account",
				"lastEnabledTime": "2025-03-02T10:00:00.587034+00:00"
			},
			"queue": null,
			"table": null
		}
	},
	"extendedLocation": null,
	"failoverInProgress": null,
	"geoReplicationStats": null,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/project5storageaccount",
	"identity": null,
	"immutableStorageWithVersioning": null,
	"isHnsEnabled": null,
	"isLocalUserEnabled": null,
	"isSftpEnabled": null,
	"isSkuConversionBlocked": null,
	"keyPolicy": null,
	"kind": "StorageV2",
	"largeFileSharesState": "Enabled",
	"lastGeoFailoverTime": null,
	"location": "westeurope",
	"minimumTlsVersion": "TLS1_2",
	"name": "project5storageaccount",
	"networkRuleSet": {
		"bypass": "AzureServices",
		"defaultAction": "Deny",
		"ipRules": [],
		"ipv6Rules": [],
		"resourceAccessRules": null,
		"virtualNetworkRules": []
	},
	"primaryLocation": "westeurope",
	"privateEndpointConnections": [],
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Enabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"routingPreference": null,
	"sasPolicy": null,
	"secondaryEndpoints": null,
	"secondaryLocation": null,
	"sku": {
		"name": "Standard_LRS",
		"tier": "Standard"
	},
	"statusOfPrimary": "available",
	"statusOfSecondary": null,
	"storageAccountSkuConversionStatus": null,
	"tags": {},
	"type": "Microsoft.Storage/storageAccounts"
}

06 Now that the default network rule is configured to deny all access to your Storage account, you have to configure the network rule in order to grant access from your allowed networks only. As an example, the following configuration grants access to a specific on-premise network, while blocking general Internet traffic. To grant access from your on-premise network only, run storage account network-rule add command (Windows/macOS/Linux) to add a new network rule for an IP address range (e.g., 15.16.17.0/24). For more details, see Limit Storage Account Access by IP Address:

az storage account network-rule add
	--account-name project5storageaccount
	--ip-address 15.16.17.0/24
	--query 'networkRuleSet.ipRules'

07 The command output should return the information available for the new IP rule:

[
	{
		"action": "Allow",
		"ipAddressOrRange": "15.16.17.0/24"
	}
]

08 To secure your Azure Storage account with an Azure Virtual Network (VNet), run storage account network-rule add command (Windows/macOS/Linux) to add a new network rule for for the specified VNet subnet:

az storage account network-rule add
	--account-name project5storageaccount
	--vnet-name cc-project5-vnet
	--subnet cc-project5-vnet-subnet-001
	--query 'networkRuleSet.virtualNetworkRules'

09 The command output should return the information available for the new network rule:

[
	{
		"action": "Allow",
		"state": "Succeeded",
		"virtualNetworkResourceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet/subnets/cc-project5-vnet-subnet-001"
	}
]

10 Repeat steps no. 4 - 9 for each Storage account that you want to configure, available in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Jun 12, 2019