Skip to content

Configure Azure Storage firewall#

Security · Storage Account · Rule · 2021_09 · Important

Storage Accounts should only accept explicitly allowed traffic.

Description#

By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.

After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from:

  • Azure services on the trusted service list.
  • IP address or CIDR range.
  • Private endpoint connections.
  • Azure virtual network subnets with a Service Endpoint.

Recommendation#

Consider configuring storage firewall to restrict network access to permitted clients only. Also consider enforcing this setting using Azure Policy.

Examples#

Configure with Azure template#

To deploy Storage Accounts that pass this rule:

  • Set the properties.networkAcls.defaultAction property to Deny.

For example:

Azure Template snippet
{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2023-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Standard_GRS"
  },
  "kind": "StorageV2",
  "properties": {
    "allowBlobPublicAccess": false,
    "supportsHttpsTrafficOnly": true,
    "minimumTlsVersion": "TLS1_2",
    "accessTier": "Hot",
    "allowSharedKeyAccess": false,
    "networkAcls": {
      "defaultAction": "Deny"
    }
  }
}

Configure with Bicep#

To deploy Storage Accounts that pass this rule:

  • Set the properties.networkAcls.defaultAction property to Deny.

For example:

Azure Bicep snippet
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: name
  location: location
  sku: {
    name: 'Standard_GRS'
  }
  kind: 'StorageV2'
  properties: {
    allowBlobPublicAccess: false
    supportsHttpsTrafficOnly: true
    minimumTlsVersion: 'TLS1_2'
    accessTier: 'Hot'
    allowSharedKeyAccess: false
    networkAcls: {
      defaultAction: 'Deny'
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/storage/storage-account:<version>

To use the latest version:

br/public:avm/res/storage/storage-account:0.9.1

Notes#

Cloud Shell storage with the tag ms-resource-usage = 'azure-cloud-shell' is excluded. Azure storage firewall is not supported for Cloud Shell storage accounts.

Comments