Configure Network Rules¶
Control network access to your storage account using firewalls and VNets.
| Rule Type | Default Action | Configuration |
|---|---|---|
| Default Action | Allow or Deny | Controls non-matched traffic. |
| IP Rules | Allow IP/Range | Whitelist specific external IPs. |
| VNet Rules | Allow Subnet | Enable Service Endpoints. |
| Resource Instances | Allow Service | Grant specific Azure services. |
Warning
Changing the default action to "Deny" immediately breaks all access not explicitly whitelisted.
mermaid graph TD A[Incoming Request] --> B{Default Action?} B -->|Allow| C[Evaluate Rules] B -->|Deny| D{Matches Rule?} D -->|Yes| E[Grant Access] D -->|No| F[Deny Access]
Rule Validation Checklist¶
- Confirm default action aligns with target exposure.
- Add trusted public IP ranges where required.
- Add subnet rules only after service endpoints validation.
- Validate resource instance exceptions if used.
- Confirm bypass settings for Azure services are intentional.
- Test access from approved and blocked networks.