By default, storage accounts accept connections from clients on any network. You can limit access to selected networks or prevent traffic from all networks and permit access only through a private endpoint.
Set the default public network access rule
Go to the storage account that you want to secure.
In the service menu, under Security + networking, select Networking.
Choose the network access that is enabled through the storage account's public endpoint:
To allow traffic from all networks, select Enabled from all networks.
To allow traffic only from specific virtual networks, IP address ranges, or specific Azure resources, select Enabled from selected virtual networks and IP addresses. You are prompted to add virtual networks, IP address ranges, or resource instances.
To block traffic from all networks, select Disabled.
Select Save to apply your changes.
Install Azure PowerShell and sign in.
Choose the type of public network access you want to allow:
To allow traffic from all networks, use the Update-AzStorageAccountNetworkRuleSet command and set the -DefaultAction parameter to Allow:
Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -DefaultAction Allow
To allow traffic only from specific virtual networks, use the Update-AzStorageAccountNetworkRuleSet command and set the -DefaultAction parameter to Deny:
Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -DefaultAction Deny
Important
Network rules have no effect unless you set the -DefaultAction parameter to Deny. However, changing this setting can affect your application's ability to connect to Azure Storage. Be sure to grant access to any allowed networks or set up access through a private endpoint before you change this setting.
To block traffic from all networks, use the Set-AzStorageAccount command and set the -PublicNetworkAccess parameter to Disabled. Traffic will be allowed only through a private endpoint. You need to create that private endpoint.
Set-AzStorageAccount -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -PublicNetworkAccess Disabled
Install the Azure CLI and sign in.
Choose the type of public network access you want to allow:
To allow traffic from all networks, use the az storage account update command and set the --default-action parameter to Allow:
az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Allow
To allow traffic only from specific virtual networks, use the az storage account update command and set the --default-action parameter to Deny:
az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Deny
Important
Network rules have no effect unless you set the --default-action parameter to Deny. However, changing this setting can affect your application's ability to connect to Azure Storage. Be sure to grant access to any allowed networks or set up access through a private endpoint before you change this setting.
To block traffic from all networks, use the az storage account update command and set the --public-network-access parameter to Disabled. Traffic will be allowed only through a private endpoint. You need to create that private endpoint.
az storage account update --name MyStorageAccount --resource-group MyResourceGroup --public-network-access Disabled
Note
Firewall settings that restrict access to storage services remain in effect for up to a minute after you save settings that allow access.
Next steps