You can deny all public access to your storage account and then configure Azure network settings to accept requests that originate from specific virtual network subnets. To learn more, see virtual network subnets.
To apply a virtual network rule to a storage account, the user must have the appropriate permissions for the subnets being added. A Storage Account Contributor or a user who has permission to the Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Azure resource provider operation can apply a rule using a custom Azure role.
Create a virtual network rule
Note
If you want to enable access from a virtual network in another Microsoft Entra tenant, you must use PowerShell or the Azure CLI. The Azure portal doesn't show subnets in other Microsoft Entra tenants.
Go to the storage account for which you want to configure virtual network and access rules.
In the service menu, under Security + networking, select Networking.
In the Firewalls and virtual networks tab of the network settings page, make sure that Enabled from selected virtual networks and IP addresses is selected.
Under Virtual networks, select Add existing virtual network.
The Add networks pane appears.
From the Virtual networks drop-down list, select a virtual network.
From the Subnets drop-down list, select the desired subnets, then select Add.
If you need to create a new virtual network, select Add new virtual network. Provide the necessary information to create the new virtual network, and then select Create. Only virtual networks that belong to the same Microsoft Entra tenant appear for selection during rule creation. To grant access to a subnet in a virtual network that belongs to another tenant, use PowerShell, the Azure CLI, or the REST API.
To remove a virtual network or subnet rule, select the ellipsis (...) to open the context menu for the virtual network or subnet, and then select Remove.
Select Save to apply your changes.
Important
If you delete a subnet that's included in a network rule, it is removed from the network rules for the storage account. If you create a new subnet with the same name, it won't have access to the storage account. To allow access, you must explicitly authorize the new subnet in the network rules for the storage account.
Install Azure PowerShell and sign in.
To allow traffic only from specific virtual networks, use the Update-AzStorageAccountNetworkRuleSet command and set the -DefaultAction parameter to Deny:
Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -DefaultAction Deny
Important
Network rules have no effect unless you set the -DefaultAction parameter to Deny. However, changing this setting can affect your application's ability to connect to Azure Storage. Be sure to grant access to any allowed networks or set up access through a private endpoint before you change this setting.
List virtual network rules:
(Get-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount").VirtualNetworkRules
Enable a service endpoint for Azure Storage on an existing virtual network and subnet:
Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Set-AzVirtualNetworkSubnetConfig -Name "mysubnet" -AddressPrefix "10.0.0.0/24" -ServiceEndpoint "Microsoft.Storage.Global" | Set-AzVirtualNetwork
Add a network rule for a virtual network and subnet:
$subnet = Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Get-AzVirtualNetworkSubnetConfig -Name "mysubnet"
Add-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -VirtualNetworkResourceId $subnet.Id
To add a network rule for a subnet in a virtual network that belongs to another Microsoft Entra tenant, use a fully qualified VirtualNetworkResourceId parameter in the form /subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name.
Remove a network rule for a virtual network and subnet:
$subnet = Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Get-AzVirtualNetworkSubnetConfig -Name "mysubnet"
Remove-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -VirtualNetworkResourceId $subnet.Id
Install the Azure CLI and sign in.
To allow traffic only from specific virtual networks, use the az storage account update command and set the --default-action parameter to Deny:
az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Deny
Important
Network rules have no effect unless you set the --default-action parameter to Deny. However, changing this setting can affect your application's ability to connect to Azure Storage. Be sure to grant access to any allowed networks or set up access through a private endpoint before you change this setting.
List virtual network rules:
az storage account network-rule list --resource-group "myresourcegroup" --account-name "mystorageaccount" --query virtualNetworkRules
Enable a service endpoint for Azure Storage on an existing virtual network and subnet:
az network vnet subnet update --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --service-endpoints "Microsoft.Storage.Global"
Add a network rule for a virtual network and subnet:
subnetid=$(az network vnet subnet show --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --query id --output tsv)
az storage account network-rule add --resource-group "myresourcegroup" --account-name "mystorageaccount" --subnet $subnetid
To add a rule for a subnet in a virtual network that belongs to another Microsoft Entra tenant, use a fully qualified subnet ID in the form /subscriptions/<subscription-ID>/resourceGroups/<resourceGroup-Name>/providers/Microsoft.Network/virtualNetworks/<vNet-name>/subnets/<subnet-name>. You can use the subscription parameter to retrieve the subnet ID for a virtual network that belongs to another Microsoft Entra tenant.
Remove a network rule for a virtual network and subnet:
subnetid=$(az network vnet subnet show --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --query id --output tsv)
az storage account network-rule remove --resource-group "myresourcegroup" --account-name "mystorageaccount" --subnet $subnetid
See also