Share via

Storage Account > Network when public access is completely disabled Now How Developers will connect

Ajith Rai 0 Reputation points Microsoft Employee
2025-04-02T15:52:07.3366667+00:00

Hi Team,

After disabling complete public access, how will developers connect to the storage account, either through the web or Storage Explorer, from their local network laptops?

Lake enabled storage account.

User's image

Instead of accessing through VM's

Is there any way to allow specific IP addresses for developers?

Azure Storage Explorer
Azure Storage Explorer
An Azure tool that is used to manage cloud storage resources on Windows, macOS, and Linux.
285 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michael Taylor 58,451 Reputation points
    2025-04-02T16:17:57.62+00:00

    If you block public access to storage, always a good idea, then you still have your company's private network access. In your VNet configuration ensure your company's private network is allowed through the firewall and ensure that the storage account/container allows access from the VNet.

    Here's some links to get you started.

    Note that as part of the VNet firewall rules you can allow specific IPs. That is generally only done for people not on your VPN. But bear in mind that anyone not calling into your network is a security vulnerability AND their IP address will not be static. You'd need to allow a range.

    0 comments
  2. Vinod Kumar Reddy Chilupuri 3,745 Reputation points Microsoft External Staff
    2025-04-02T16:29:53.37+00:00

    Hi Ajith Rai,

    To connect to an Azure Storage account after completely disabling public access, developers can use specific IP address rules to allow access from their local network laptops. This can be achieved by configuring IP network rules that grant access to specific public internet IP address ranges. Each storage account supports up to 400 such rules.
    After you apply network rules, they're enforced for all requests. SAS tokens that grant access to a specific IP address serve to limit the access of the token holder, but they don't grant new access beyond configured network rules.

    To set this up, you would need to:

    1. Identify the public IP addresses used by the developers' local networks.
    2. Create IP network rules in the Azure portal to allow access from these identified IP addresses.
    3. Ensure that the IP address ranges are provided in CIDR notation.

    It's important to note that IP network rules only apply to public internet IP addresses and cannot be used for private IP addresses.
    https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#restrictions-for-ip-network-rules
    https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#how-to-approach-network-security-for-your-storage-account

    Hope the above suggestion helps! Please let us know do you have any further queries.

    Please do consider to “Accept the answer” wherever the information provided helps you, this can be beneficial to other community members. 

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.