Learn about Configuring Azure Storage firewalls and virtual networks
This tutorial will help you to Learn about Configuring Azure Storage firewalls and virtual networks. Azure Storage provides a layered security model. This model enables you to secure and control the level of access to your storage accounts that your applications and enterprise environments demand, based on the type and subset of networks used. When network rules are configured, only applications requesting data over the specified set of networks can access a storage account.
Scenarios
To secure your storage account, you should first configure a rule to deny access to traffic from all networks (including internet traffic) on the public endpoint, by default. Then, you should configure rules that grant access to traffic from specific VNets. You can also configure rules to grant access to traffic from select public internet IP address ranges, enabling connections from specific internet or on-premises clients. This configuration enables you to build a secure network boundary for your applications.
Change the default network access rule
By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.
Managing default network access rules
You can manage default network access rules for storage accounts through the Azure portal, PowerShell, or CLIv2.
Azure portal
Firstly, Go to the storage account you want to secure.
Secondly, Click on the settings menu called Firewalls and virtual networks.
Also, To deny access by default, choose to allow access from Selected networks. To allow traffic from all networks, choose to allow access from All networks.
Finally, Click Save to apply your changes.
You can also learn about powershell and CLIv2.
Grant access from a virtual network
You can configure storage accounts to allow access only from specific subnets. The allowed subnets may belong to a VNet in the same subscription, or those in a different subscription, including subscriptions belonging to a different Azure Active Directory tenant.
Available virtual network regions
In general, service endpoints work between virtual networks and service instances in the same Azure region. When using service endpoints with Azure Storage, this scope grows to include the paired region. Service endpoints allow continuity during a regional failover and access to read-only geo-redundant storage (RA-GRS) instances.
Managing virtual network rules
Azure portal
Firstly, To remove a virtual network or subnet rule, click … to open the context menu for the virtual network or subnet, and click Remove.
Also, Click Save to apply your changes.
Subsequently, Go to the storage account you want to secure.
Furthermore, Click on the settings menu called Firewalls and virtual networks.
Also, Check that you’ve selected to allow access from Selected networks.
To grant access to a virtual network with a new network rule, under Virtual networks, click Add existing virtual network, select Virtual networks and Subnets options, and then click Add. To learn to create a new virtual network and grant it access, click Add new virtual network. Provide the information necessary to create the new virtual network, and then click Create.
Subsequently, To remove a virtual network or subnet rule, click … to open the context menu for the virtual network or subnet, and click Remove.
Finally, Click Save to apply your changes.
You can also learn about powershell and CLIv2.
Reference documentation – Configure Azure Storage firewalls and virtual networks