MSDN Forum: Using Network Rules in Storage Accounts to Restrict Public Access

Question

Hi All!

Azure policy definition "Storage accounts should restrict network access" is not compliant in my subscription. To make this compliant, I need to configure the network rules of my storage accounts because they are accessible over "All Networks" so I need to change it to "Selected Networks" for restriction.

I would like to ask if there are impacts to my applications using those storage accounts if I restrict access using virtual network rules and firewall rules? If yes, what other ways can you suggest to make the policy definition compliant? Thanks in advance.

Answer 1

@NaoriKuni-3413
In order to make this policy compliant you will need to restrict access like you said. If your applications are configured to access the storage account over the virtual network then it shouldn't be a problem, simply grant access from that virtual network. If your application is not coming from a virtual network you can grant access from the application IP address.

You will need to check each application and storage account though. One thing which might helps is to enable logging for the storage account to capture the IP addresses that are accessing your account.

Hope this helps. Let us know if you have further questions or issues.

-------------------------------

Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

@NaoriKuni-3413 It may impact your application in case if any of service or API is connecting this storage account through internet instead of private network.
I would suggest to apply first in Test environment and validate each functional before applying in PROD.
You can also utilise network traces tools like Fiddler or Wireshark to identify how your application is connecting to Storage account.