By default, Azure storage accounts are allowed to be accessible from the public network. This means if someone could get the shared access signature token, access keys, or connection string to the storage account, they could easily copy, modify or delete the data from your Azure storage account. Here are the steps we can follow to secure azure storage accounts from the public network and restrict it to specific azure virtual networks or specific public IP addresses.
- Navigate to the azure storage account at the azure portal.
- Go to Networking under settings
- Change Allow access from All networks to Selected Networks
- Select a Virtual network that has Microsoft.Storage Service endpoint enabled or create a new virtual network. If your current virtual network doesn’t have Microsoft.Storage service endpoint enabled, you wouldn’t be able to select the virtual network.
- Please add the public IP addresses that must be able to access the storage account from the public network and click on save.
Note – Please make sure to allow trusted Microsoft services to access the storage account.
- Now if someone tries to access your azure storage account from an IP address that is not allowed to access it, he must get the following error.
Now your Azure storage azure account is secured and accessible only from the specific public IP address range.
Please let me know your comments or thoughts on this.