Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Disable Public Network Access to Storage Accounts

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that public network access (i.e., all network access) to Microsoft Azure Storage accounts is disabled in order to enhance security by preventing unauthorized access. Since Azure Storage accounts are initially configured to accept connections from all networks, applying network restrictions is essential for improved security and compliance.

Security

When an Microsoft Azure Storage account is open to public access, it can be reached by all hosts and networks, including the Internet. This raises the likelihood of unauthorized access, security breaches, and potential compliance violations. However, if public network access is disabled, the public endpoint for your Storage account will be restricted, allowing access only through private endpoint connections.

Making changes to network rules can impact your applications' ability to connect to the Azure Storage account. Make sure to grant access to any allowed networks using network rules or IP ranges using firewalls before you change the default rule in order to deny access.

Audit

To determine whether public network access to your Azure Storage accounts is disabled, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Storage account, and choose Apply to list only the Storage accounts available in the selected Azure subscription.

05 Click on the name (link) of the Azure Storage account that you want to examine.

06 In the resource navigation panel, under Security + networking, choose Networking to access the networking settings available for the selected Storage account.

07 Select the Firewalls and virtual networks tab and check the Public network access configuration setting to determine the level of access configured for the selected resource. If Public network access is set to Enabled from all networks, all networks, including the Internet, can access your Storage account. Therefore, the public network access to the selected Azure Storage account is not disabled.

08 Repeat steps no. 5 – 7 for each Azure Storage account available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage account list command (Windows/macOS/Linux) with custom output filters to describe the identifier (name) of each storage account provisioned in the selected subscription: 

az storage account list
	--query '[*].name'

05 The command output should return the requested storage account names: 

[
	"project5storageaccount",
	"cloudaistorageaccount"
]

06 Run storage account show command (Windows/macOS/Linux) with the name of the Azure Storage account that you want to examine as the identifier parameter and custom output filters to determine if the public network access to the selected Storage account is disabled: 

az storage account show
	--name project5storageaccount
	--query '{networkRuleSet:networkRuleSet.defaultAction,publicNetworkAccess:publicNetworkAccess}'

07 The command output should return the status of the default network access rule used by the selected Storage account (i.e. "networkRuleSet" value) and the status of the "publicNetworkAccess" setting: 

{
	"networkRuleSet": "Allow",
	"publicNetworkAccess": "Enabled"
}

If the storage account show command output returns "Allow" for "networkRuleSet" and "Enabled" for "publicNetworkAccess", as shown in the example above, all networks, including the Internet, can access your Storage account. Therefore, the public network access to the selected Azure Storage account disk is not disabled.

08 Repeat steps no. 6 and 7 for each Azure Storage account created within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To disable public network access to your Azure virtual machine (VM) disks, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Storage account, and choose Apply to list only the Storage accounts available in the selected Azure subscription.

05 Click on the name (link) of the Azure Storage account that you want to configure.

06 In the resource navigation panel, under Security + networking, choose Networking to access the networking settings available for the selected Storage account.

07 Select the Firewalls and virtual networks tab, set Public network access to Disabled, and choose Save to apply the changes. Once the new network configuration is applied, no public networks can access your resource. Private endpoint connections will be the exclusive way to access your Storage account. (Optional) Follow the steps outlined on this page to allow access to private endpoints only.

08 Repeat steps no. 5 – 7 for each Azure Storage account provisioned within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage account update command (OSX/Linux/UNIX) with the name of the Azure Storage account that you want to configure as the identifier parameter, to disable public network access to the selected Storage account. Once the new network configuration is applied, no public networks can access your resource. Private endpoint connections will be the exclusive way to access your Storage account. (Optional) Follow the steps outlined on this page to allow access to private endpoints only: 

az storage account update
	--name project5storageaccount
	--default-action Deny
	--public-network-access Disabled

05 The command output should return the configuration information available for the modified resource: 

{
	"accessTier": "Hot",
	"accountMigrationInProgress": null,
	"allowBlobPublicAccess": false,
	"allowCrossTenantReplication": false,
	"allowSharedKeyAccess": true,
	"allowedCopyScope": null,
	"azureFilesIdentityBasedAuthentication": null,
	"blobRestoreStatus": null,
	"customDomain": null,
	"defaultToOAuthAuthentication": false,
	"dnsEndpointType": "Standard",
	"enableExtendedGroups": null,
	"enableHttpsTrafficOnly": true,
	"enableNfsV3": null,
	"encryption": {
		"encryptionIdentity": null,
		"keySource": "Microsoft.Storage",
		"keyVaultProperties": null,
		"requireInfrastructureEncryption": false,
		"services": {
			"blob": {
				"enabled": true,
				"keyType": "Account",
			},
			"file": {
				"enabled": true,
				"keyType": "Account",
			},
			"queue": null,
			"table": null
		}
	},
	"extendedLocation": null,
	"failoverInProgress": null,
	"geoReplicationStats": null,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/project5storageaccount",
	"identity": null,
	"immutableStorageWithVersioning": null,
	"isHnsEnabled": null,
	"isLocalUserEnabled": null,
	"isSftpEnabled": null,
	"isSkuConversionBlocked": null,
	"keyPolicy": null,
	"kind": "StorageV2",
	"largeFileSharesState": "Enabled",
	"lastGeoFailoverTime": null,
	"location": "westeurope",
	"minimumTlsVersion": "TLS1_2",
	"name": "project5storageaccount",
	"networkRuleSet": {
		"bypass": "AzureServices",
		"defaultAction": "Deny",
		"ipRules": [],
		"ipv6Rules": [],
		"resourceAccessRules": [],
		"virtualNetworkRules": [
			{
				"action": "Allow",
				"state": "Succeeded",
				"virtualNetworkResourceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet/subnets/cc-project5-vnet-subnet-001"
			}
		]
	},
	"primaryLocation": "westeurope",
	"privateEndpointConnections": [],
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Disabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"routingPreference": null,
	"sasPolicy": null,
	"secondaryEndpoints": null,
	"secondaryLocation": null,
	"sku": {
		"name": "Standard_LRS",
		"tier": "Standard"
	},
	"statusOfPrimary": "available",
	"statusOfSecondary": null,
	"storageAccountSkuConversionStatus": null,
	"tags": {},
	"type": "Microsoft.Storage/storageAccounts"
}

06 Repeat steps no. 4 and 5 for each Azure Storage account created within the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date May 8, 2025

Related StorageAccounts rules