I am trying to create a solution that will prevent the creation of storage account unless a private endpoint is in place. Its the section below I have used the built in policy definition in Azure, and I am still able to create a storage account with public access enabled.

Hello @MrFlinstone Follow the below steps. Disable public access to the storage account in the Azure portal: Go to your storage account in the Azure portal Locate the Configuration setting under Settings Set Allow Blob anonymous access to Disabled Any storage accounts you establish or modify will be affected by this, allowing you to choose Public Network Access - Disabled. You cannot set up virtual network rules or firewall rules while public network access is disabled since such are not applicable in that situation. In addition to setting up the private endpoint, you also need to disable access to the public network when configuring private endpoints. If this answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.

Azure policy to deny public access when creating a storage account

MrFlinstone 581

I am trying to create a solution that will prevent the creation of storage account unless a private endpoint is in place.

Its the section below

User's image

I have used the built in policy definition in Azure, and I am still able to create a storage account with public access enabled.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

1 answer

SUNOJ KUMAR YELURU 14,051 Reputation points MVP

2024-10-03T15:36:01.2433333+00:00
Hello @MrFlinstone

Follow the below steps.

Disable public access to the storage account in the Azure portal:

Go to your storage account in the Azure portal

Locate the Configuration setting under Settings

Set Allow Blob anonymous access to Disabled

Any storage accounts you establish or modify will be affected by this, allowing you to choose Public Network Access - Disabled. You cannot set up virtual network rules or firewall rules while public network access is disabled since such are not applicable in that situation. In addition to setting up the private endpoint, you also need to disable access to the public network when configuring private endpoints.

If this answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.
Please sign in to rate this answer.
MrFlinstone 581 Reputation points

2024-10-03T16:03:55.3366667+00:00

I am a bit confused with your explanation, are you saying that even if public access is allowed by the network settings, anonymous blob access needs to be enabled also for public access to work ?

Hari Babu Vattepally 0 Reputation points Microsoft Vendor

2024-10-04T13:03:46.17+00:00

Hi @MrFlinstone ,

Welcome to Microsoft Q&A Forum. Thanks for posting your query.

I understand that you would like to restrict the access for creating the storage account until and unless there is a private endpoint.

In order to achieve that you can use Azure policy to implement this rule.

Please follow the below rules to apply the policy rules.

Navigate to Azure Policy: Go to the Azure Portal and Select Policy from the menu.

Create a New Policy Definition: Click on Definitions and then Create Policy Definition.

Define the Policy Rule: Write a policy rule that checks if a private endpoint is associated with the storage account. Also, you can use the Azure Policy language to define the rule.

Assign the Policy: Once the policy has created, we can assign the policy to the appropriate scope (for e.g., a specific resource group or subscription).

Review and Create: Review the settings and create the policy assignment.

The above steps will help you denying the creation of any storage account that does not have a private endpoint associated with it.

For reference, here we have the sample of a policy rule that ensures a private endpoint is in place before creating storage account.

{ "if": { "all": [ { "field": "type", "in": ["Microsoft.Storage/storageAccounts"] }, { "field": "Microsoft.Storage/storageAccounts/privateEndpoint", "exists": "false" } ] }, "then": { "effect": "deny" } }

Please refer the below documents for more information related to Built in Policy.
https://learn.microsoft.com/en-us/azure/storage/common/policy-reference

To Assign the created Policy, please refer the below document for additional information.

https://learn.microsoft.com/en-us/azure/governance/policy/assign-policy-portal

I hope the above solution may resolve your issue. Please let me know if there are any further questions. We will be glad to assist you.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure policy to deny public access when creating a storage account

1 answer

Your answer