iCompaas Support

Profile Applicability:

• Level 1

Description:
 The default network access rule for Azure Storage Accounts determines whether network traffic not explicitly allowed by firewall rules is permitted or denied. Setting the default action to Deny ensures that all unspecified network traffic is blocked by default, enforcing a least-privilege access model.

Rationale:
 A deny-by-default network rule minimizes exposure by blocking any network access that is not explicitly permitted. This reduces the risk of unauthorized access and supports compliance with strict network security policies.

Impact:

Pros:

• Enhances security by restricting access to trusted networks only.
  

• Prevents accidental exposure of storage accounts to untrusted networks.
  

• Supports regulatory and organizational network segmentation requirements.
  

Cons:

• Requires careful management of allow rules to avoid service disruption.
  

• May cause connectivity issues if legitimate networks are not whitelisted.
  

Default Value:
 By default, many storage accounts allow access unless firewall rules are configured.

Pre-requisites:

• Permissions to modify storage account firewall and network rules.
  

• Inventory of trusted IP ranges and virtual networks.
  

Remediation

Test Plan:

Using Azure Portal:

1. Sign in to https://portal.azure.com.
   

2. Navigate to Storage Accounts and select the target account.
   

3. Go to Networking > Firewalls and virtual networks.
   

4. Verify that the Default action is set to Deny.
   

Using Azure CLI:

1. Check default network rule action:
   

   az storage account show --name --resource-group --query networkRuleSet.defaultAction

2. Confirm the output is Deny.
   

Implementation Plan

Using Azure Portal:

1. In the storage account Networking settings, set the Default action to Deny.
   

2. Save the configuration.
   

3. Add necessary allow rules for trusted networks and test connectivity.
   

Using Azure CLI:

1. Set default network rule action to Deny:
   

   az storage account update --name --resource-group --default-action Deny

2. Verify the setting.
   

Backout Plan

Using Azure Portal:

1. Change the Default action back to Allow if necessary.
   

2. Inform relevant teams and monitor access.
   

Using Azure CLI:

Set default network rule action to Allow:

az storage account update --name --resource-group --default-action Allow

References:

• Azure Storage Network Security
  Configure Storage Account Firewalls and Virtual Networks