iCompaas Support

Profile Applicability:

• Level 1

Description:
 Disabling public network access on Azure Storage Accounts restricts connectivity to the storage resources to only private networks or selected trusted networks. This prevents access over the public internet, reducing the attack surface and exposure to unauthorized access.

Rationale:
 Publicly accessible storage accounts are vulnerable to attacks from the internet. Disabling public network access enforces network-level security controls, ensuring that only authorized private network traffic can reach the storage account, improving overall security posture.

Impact:

Pros:

• Minimizes exposure to external threats by blocking public internet access.
  

• Supports compliance with network security and data protection standards.
  

• Encourages use of private connectivity options such as Private Endpoints.
  

Cons:

• May require reconfiguration of applications and services to use private network paths.
  

• Could cause disruptions if clients depend on public endpoints without alternatives.
  

Default Value:
 Public network access is enabled by default on many Azure Storage Accounts.

Pre-requisites:

• Azure subscription and permissions to modify storage account networking settings.
  

• Understanding of network architecture and client connectivity requirements.
  

Remediation

Test Plan:

Using Azure Portal:

1. Sign in to https://portal.azure.com.
   

2. Navigate to Storage Accounts and select the target account.
   

3. Go to Networking or Firewalls and virtual networks.
   

4. Verify that Public Network Access is set to Disabled.
   

Using Azure CLI:

1. Check public network access status:
   

   az storage account show --name --resource-group --query publicNetworkAccess

2. Confirm the output is Disabled.
   

Implementation Plan

Using Azure Portal:

1. In the storage account Networking settings, set Public Network Access to Disabled.
   

2. Save the changes.
   

3. Test client connectivity via private networks or Private Endpoints.
   

Using Azure CLI:

1. Disable public network access:
   

   az storage account update --name --resource-group --set publicNetworkAccess=Disabled

2. Confirm the change by querying the property again.
   

Backout Plan

Using Azure Portal:

1. Re-enable public network access by changing the setting to Enabled if needed.
   

2. Inform stakeholders of the change and monitor for impact.
   

Using Azure CLI:

Enable public network access:

az storage account update --name --resource-group --set publicNetworkAccess=Enabled

References:

• Azure Storage Network Security
  

• Control Public Network Access to Azure Resources