Configure Azure Storage firewalls and virtual networks

Azure Storage provides a layered security model. This model enables you to secure your storage accounts to a specific set of supported networks​. When network rules are configured, only applications requesting data from over the specified set of networks can access a storage account.

An application that accesses a storage account when network rules are in effect requires proper authorization on the request. Authorization is supported with Azure Active Directory (AD) credentials (for blobs and queues) (preview), a valid account access key, or a SAS token.

Important

Turning on firewall rules for your storage account blocks incoming requests for data by default, unless the requests come from a service that is operating within an Azure Virtual Network (VNet). Requests that are blocked include those from other Azure services, from the Azure portal, from logging and metrics services, and so on.

You can grant access to Azure services that operate from within a VNet by allowing the subnet of the service instance. Enable a limited number of scenarios through the Exceptions mechanism described in the following section. To access the Azure portal, you would need to be on a machine within the trusted boundary (either IP or VNet) that you set up.

Scenarios

Configure storage accounts to deny access to traffic from all networks (including internet traffic) by default. Then grant access to traffic from specific VNets. This configuration enables you to build a secure network boundary for your applications. You can also grant access to public internet IP address ranges, enabling connections from specific internet or on-premises clients.

Network rules are enforced on all network protocols to Azure storage, including REST and SMB. To access the data with tools like Azure portal, Storage Explorer, and AZCopy, explicit network rules are required.

You can apply network rules to existing storage accounts, or when you create new storage accounts.

Once network rules are applied, they're enforced for all requests. SAS tokens that grant access to a specific IP address serve to limit the access of the token holder, but don't grant new access beyond configured network rules.

Virtual machine disk traffic (including mount and unmount operations, and disk IO) is not affected by network rules. REST access to page blobs is protected by network rules.

Classic storage accounts do not support firewalls and virtual networks.

You can use unmanaged disks in storage accounts with network rules applied to backup and restore VMs by creating an exception. This process is documented in the Exceptions section of this article. Firewall exceptions aren't applicable with managed disks as they're already managed by Azure.

Change the default network access rule

By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.

Warning

Making changes to network rules can impact your applications' ability to connect to Azure Storage. Setting the default network rule to deny blocks all access to the data unless specific network rules to grant access are also applied. Be sure to grant access to any allowed networks using network rules before you change the default rule to deny access.

Managing default network access rules

You can manage default network access rules for storage accounts through the Azure portal, PowerShell, or CLIv2.

Azure portal

  1. Go to the storage account you want to secure.

  2. Click on the settings menu called Firewalls and virtual networks.

  3. To deny access by default, choose to allow access from Selected networks. To allow traffic from all networks, choose to allow access from All networks.

  4. Click Save to apply your changes.

PowerShell

  1. Install the Azure PowerShell and sign in.

  2. Display the status of the default rule for the storage account.

    (Get-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount").DefaultAction
    
  3. Set the default rule to deny network access by default.

    Update-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -DefaultAction Deny
    
  4. Set the default rule to allow network access by default.

    Update-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -DefaultAction Allow
    

CLIv2

  1. Install the Azure CLI and sign in.

  2. Display the status of the default rule for the storage account.

    az storage account show --resource-group "myresourcegroup" --name "mystorageaccount" --query networkRuleSet.defaultAction
    
  3. Set the default rule to deny network access by default.

    az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Deny
    
  4. Set the default rule to allow network access by default.

    az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Allow
    

Grant access from a virtual network

You can configure storage accounts to allow access only from specific VNets.

Enable a Service endpoint for Azure Storage within the VNet. This endpoint gives traffic an optimal route to the Azure Storage service. The identities of the virtual network and the subnet are also transmitted with each request. Administrators can then configure network rules for the storage account that allow requests to be received from specific subnets in the VNet. Clients granted access via these network rules must continue to meet the authorization requirements of the storage account to access the data.

Each storage account supports up to 100 virtual network rules, which may be combined with IP network rules.

Available virtual network regions

In general, service endpoints work between virtual networks and service instances in the same Azure region. When using service endpoints with Azure Storage, this scope grows to include the paired region. Service endpoints allow continuity during a regional failover and access to read-only geo-redundant storage (RA-GRS) instances. Network rules that grant access from a virtual network to a storage account also grant access to any RA-GRS instance.

When planning for disaster recovery during a regional outage, you should create the VNets in the paired region in advance. Enable service endpoints for Azure Storage, with network rules granting access from these alternative virtual networks. Then apply these rules to your geo-redundant storage accounts.

Note

Service endpoints don't apply to traffic outside the region of the virtual network and the designated region pair. You can only apply network rules granting access from virtual networks to storage accounts in the primary region of a storage account or in the designated paired region.

Required permissions

To apply a virtual network rule to a storage account, the user must have the appropriate permissions for the subnets being added. The permission needed is Join Service to a Subnet and is included in the Storage Account Contributor built-in role. It can also be added to custom role definitions.

Storage account and the virtual networks granted access may be in different subscriptions, but those subscriptions must be part of the same Azure AD tenant.

Managing virtual network rules

You can manage virtual network rules for storage accounts through the Azure portal, PowerShell, or CLIv2.

Azure portal

  1. Go to the storage account you want to secure.

  2. Click on the settings menu called Firewalls and virtual networks.

  3. Check that you've selected to allow access from Selected networks.

  4. To grant access to a virtual network with a new network rule, under Virtual networks, click Add existing virtual network, select Virtual networks and Subnets options, and then click Add. To create a new virtual network and grant it access, click Add new virtual network. Provide the information necessary to create the new virtual network, and then click Create.

    Note

    If a service endpoint for Azure Storage wasn't previously configured for the selected virtual network and subnets, you can configure it as part of this operation.

  5. To remove a virtual network or subnet rule, click ... to open the context menu for the virtual network or subnet, and click Remove.

  6. Click Save to apply your changes.

PowerShell

  1. Install the Azure PowerShell and sign in.

  2. List virtual network rules.

    (Get-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount").VirtualNetworkRules
    
  3. Enable service endpoint for Azure Storage on an existing virtual network and subnet.

    Get-AzureRmVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Set-AzureRmVirtualNetworkSubnetConfig -Name "mysubnet" -AddressPrefix "10.0.0.0/24" -ServiceEndpoint "Microsoft.Storage" | Set-AzureRmVirtualNetwork
    
  4. Add a network rule for a virtual network and subnet.

    $subnet = Get-AzureRmVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Get-AzureRmVirtualNetworkSubnetConfig -Name "mysubnet"
    Add-AzureRmStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -VirtualNetworkResourceId $subnet.Id
    
  5. Remove a network rule for a virtual network and subnet.

    $subnet = Get-AzureRmVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Get-AzureRmVirtualNetworkSubnetConfig -Name "mysubnet"
    Remove-AzureRmStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -VirtualNetworkResourceId $subnet.Id
    

Important

Be sure to set the default rule to deny, or network rules have no effect.

CLIv2

  1. Install the Azure CLI and sign in.

  2. List virtual network rules.

    az storage account network-rule list --resource-group "myresourcegroup" --account-name "mystorageaccount" --query virtualNetworkRules
    
  3. Enable service endpoint for Azure Storage on an existing virtual network and subnet.

    az network vnet subnet update --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --service-endpoints "Microsoft.Storage"
    
  4. Add a network rule for a virtual network and subnet.

    $subnetid=(az network vnet subnet show --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --query id --output tsv)
    az storage account network-rule add --resource-group "myresourcegroup" --account-name "mystorageaccount" --subnet $subnetid
    
  5. Remove a network rule for a virtual network and subnet.

    $subnetid=(az network vnet subnet show --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --query id --output tsv)
    az storage account network-rule remove --resource-group "myresourcegroup" --account-name "mystorageaccount" --subnet $subnetid
    

Important

Be sure to set the default rule to deny, or network rules have no effect.

Grant access from an internet IP range

You can configure storage accounts to allow access from specific public internet IP address ranges. This configuration grants access to specific internet-based services and on-premises networks and blocks general internet traffic.

Provide allowed internet address ranges using CIDR notation in the form 16.17.18.0/24 or as individual IP addresses like 16.17.18.19.

Note

Small address ranges using "/31" or "/32" prefix sizes are not supported. These ranges should be configured using individual IP address rules.

IP network rules are only allowed for public internet IP addresses. IP address ranges reserved for private networks (as defined in RFC 1918) aren't allowed in IP rules. Private networks include addresses that start with 10.*, 172.16.* - 172.31.*, and 192.168.*.

Note

IP network rules have no effect on requests originating from the same Azure region as the storage account. Use Virtual network rules to allow same-region requests.

Only IPV4 addresses are supported at this time.

Each storage account supports up to 100 IP network rules, which may be combined with Virtual network rules.

Configuring access from on-premises networks

To grant access from your on-premises networks to your storage account with an IP network rule, you must identify the internet facing IP addresses used by your network. Contact your network administrator for help.

You can use ExpressRoute to connect your network to the Azure network. Here, each circuit is configured with two public IP addresses. They can be found at the Microsoft Edge and use Azure Public Peering to connect to Microsoft Services like Azure Storage. To allow communication with Azure Storage, create IP network rules for the public IP addresses of your circuits. To find your ExpressRoute circuit's public IP addresses, open a support ticket with ExpressRoute via the Azure portal.

Managing IP network rules

You can manage IP network rules for storage accounts through the Azure portal, PowerShell, or CLIv2.

Azure portal

  1. Go to the storage account you want to secure.

  2. Click on the settings menu called Firewalls and virtual networks.

  3. Check that you've selected to allow access from Selected networks.

  4. To grant access to an internet IP range, enter the IP address or address range (in CIDR format) under Firewall > Address Range.

  5. To remove an IP network rule, click the trash can icon next to the address range.

  6. Click Save to apply your changes.

PowerShell

  1. Install the Azure PowerShell and sign in.

  2. List IP network rules.

    (Get-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount").IPRules
    
  3. Add a network rule for an individual IP address.

    Add-AzureRMStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.19"
    
  4. Add a network rule for an IP address range.

    Add-AzureRMStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.0/24"
    
  5. Remove a network rule for an individual IP address.

    Remove-AzureRMStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.19"
    
  6. Remove a network rule for an IP address range.

    Remove-AzureRMStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.0/24"
    

Important

Be sure to set the default rule to deny, or network rules have no effect.

CLIv2

  1. Install the Azure CLI and sign in.

  2. List IP network rules.

    az storage account network-rule list --resource-group "myresourcegroup" --account-name "mystorageaccount" --query ipRules
    
  3. Add a network rule for an individual IP address.

    az storage account network-rule add --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.19"
    
  4. Add a network rule for an IP address range.

    az storage account network-rule add --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.0/24"
    
  5. Remove a network rule for an individual IP address.

    az storage account network-rule remove --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.19"
    
  6. Remove a network rule for an IP address range.

    az storage account network-rule remove --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.0/24"
    

Important

Be sure to set the default rule to deny, or network rules have no effect.

Exceptions

Network rules can enable a secure network configuration for most scenarios. However, there are some cases where exceptions must be granted to enable full functionality. You can configure storage accounts with exceptions for trusted Microsoft services, and for access to storage analytics data.

Trusted Microsoft services

Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules.

To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account.

If you enable the Allow trusted Microsoft services... exception, the following services (when registered in your subscription), are granted access to the storage account:

Service Resource Provider Name Purpose
Azure Backup Microsoft.Backup Run backups and restores of unmanaged disks in IAAS virtual machines. (not required for managed disks). Learn more.
Azure Site Recovery Microsoft.SiteRecovery Configure disaster recovery by enabling replication for Azure IaaS virtual machines. This is required if you are using firewall enabled cache storage account or source storage account or target storage account. Learn more.
Azure DevTest Labs Microsoft.DevTestLab Custom image creation and artifact installation. Learn more.
Azure Event Grid Microsoft.EventGrid Enable Blob Storage event publishing and allow Event Grid to publish to storage queues. Learn about blob storage events and publishing to queues.
Azure Event Hubs Microsoft.EventHub Archive data with Event Hubs Capture. Learn More.
Azure Networking Microsoft.Networking Store and analyze network traffic logs. Learn more.
Azure Monitor Microsoft.Insights Allows writing of monitoring data to a secured storage account Learn more.
Azure SQL Data Warehouse Microsoft.Sql Allows import and export scenarios using PolyBase. Learn more.

Storage analytics data access

In some cases, access to read diagnostic logs and metrics is required from outside the network boundary. You can grant exceptions to the network rules to allow read-access to storage account log files, metrics tables, or both. Learn more about working with storage analytics.

Managing exceptions

You can manage network rule exceptions through the Azure portal, PowerShell, or Azure CLI v2.

Azure portal

  1. Go to the storage account you want to secure.

  2. Click on the settings menu called Firewalls and virtual networks.

  3. Check that you've selected to allow access from Selected networks.

  4. Under Exceptions, select the exceptions you wish to grant.

  5. Click Save to apply your changes.

PowerShell

  1. Install the Azure PowerShell and sign in.

  2. Display the exceptions for the storage account network rules.

    (Get-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount").Bypass
    
  3. Configure the exceptions to the storage account network rules.

    Update-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -Bypass AzureServices,Metrics,Logging
    
  4. Remove the exceptions to the storage account network rules.

    Update-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -Bypass None
    

Important

Be sure to set the default rule to deny, or removing exceptions have no effect.

CLIv2

  1. Install the Azure CLI and sign in.

  2. Display the exceptions for the storage account network rules.

    az storage account show --resource-group "myresourcegroup" --name "mystorageaccount" --query networkRuleSet.bypass
    
  3. Configure the exceptions to the storage account network rules.

    az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --bypass Logging Metrics AzureServices
    
  4. Remove the exceptions to the storage account network rules.

    az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --bypass None
    

Important

Be sure to set the default rule to deny, or removing exceptions have no effect.

Next steps

Learn more about Azure Network service endpoints in Service endpoints.

Dig deeper into Azure Storage security in Azure Storage security guide.