iCompaas Support

Description:

The default network access rule in Azure Storage Accounts controls whether traffic from networks that are not explicitly allowed can access the storage account. Setting this default rule to Deny ensures that any network not on the approved list is automatically blocked. This helps enforce a strong security posture by only allowing access from trusted and defined networks.

Rationale:

Setting the default network access rule to Deny blocks all network traffic unless it is explicitly allowed. This reduces the chance of unauthorized access, limits exposure to the public internet, and supports compliance with strong security and least-privilege network policies.

Impact:

Setting the default network access rule to Deny improves security, but it may also block access for any applications, services, or users that are not explicitly added to the allowed network list. If required networks or IP ranges are not configured, legitimate traffic may be interrupted. This may require additional configuration work to define approved networks and ensure that essential services continue to function normally.

Default Value:

By default, Azure Storage Accounts allow network access from all networks unless firewall rules are configured. This means the default network access rule is typically set to Allow.

Pre-requisites:

• Administrator permissions to modify the Storage Account firewall and network settings.

• A defined list of trusted IP ranges or virtual networks that need access.
  
  

Test Plan:

1. Sign in to the Azure portal at https://portal.azure.com.

2. In the portal, search for Storage Accounts and open the required storage account.

3. under security + networking. Click Networking 

4. Under Public access, verify that Public network access is not set to “Enabled from all networks.”

5. If it is set to “Enabled from all networks,” follow the implementation Steps.
   
   

Implementation Steps:

1. Sign in to the Azure portal at https://portal.azure.com.

2. In the portal, search for  Storage Accounts and open the required storage account.

3. Under Security + Networking, click Networking.

4. Under Public access, in the Public network access section, click Manage.

5. Locate Public network access, and in the Public network access scope section, change the setting to ‘Enable from selected networks,’ then add allowed Virtual Networks or IP firewall rules as needed, then click Save.

Backout Plan:

1. Sign in to the Azure portal at https://portal.azure.com.

2. In the portal, search for Storage Accounts and open the storage account you want to revert.

3. Under Security + Networking, select Networking.

4. Under Public access, in the Public network access section, click Manage.

5. Locate Public network access,  and in the Public network access scope section, change the setting to “Enable from all networks.”

6. Click Save to apply the change.

References:

• https://learn.microsoft.com/azure/storage/common/storage-network-security

• https://learn.microsoft.com/azure/storage/common/storage-network-security-configure