Top / Microsoft Azure / Azure Storage / Account Network Rules

Azure Storage Account Network Rules

This page shows how to write Terraform and Azure Resource Manager for Storage Account Network Rules and write them securely.

terraform-logo

Review your .tf file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

azurerm_storage_account_network_rules (Terraform)

The Account Network Rules in Storage can be configured in Terraform with the resource name azurerm_storage_account_network_rules. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

azure_storage.tf#L12
resource "azurerm_storage_account_network_rules" "sa2_rules" {
  resource_group_name  = azurerm_resource_group.rg1.name
  storage_account_name = azurerm_storage_account.sa2.name

  default_action             = "Deny"
  ip_rules                   = [data.azurerm_key_vault_secret.davids_home_ip.value, data.azurerm_key_vault_secret.shanikas_home_ip.value]
storage-default-action-deny.tf#L2
resource "azurerm_storage_account_network_rules" "good_example" {
  default_action             = "Deny"
  ip_rules                   = ["127.0.0.1"]
  virtual_network_subnet_ids = [azurerm_subnet.test.id]
  bypass                     = ["Metrics"]
}
main.tf#L1
resource "azurerm_storage_account_network_rules" "SANetRule" {
  resource_group_name  = var.resource_group_name
  storage_account_name = var.storage_account_name

  default_action             = var.default_action
  ip_rules                   = var.ip_rules
storage-allow-microsoft-service-bypass.tf#L22
resource "azurerm_storage_account_network_rules" "test" {
  resource_group_name  = azurerm_resource_group.test.name
  storage_account_name = azurerm_storage_account.test.name

  default_action             = "Allow"
  ip_rules                   = ["127.0.0.1"]
main.tf#L1
resource "azurerm_storage_account_network_rules" "network_rules" {
  resource_group_name  = var.resource_group_name
  storage_account_name = var.storage_account_name

  default_action             = var.default_action
  ip_rules                   = var.ip_rules
positive1.tf#L38
resource "azurerm_storage_account_network_rules" "positive3" {
  resource_group_name  = azurerm_resource_group.test.name
  storage_account_name = azurerm_storage_account.test.name

  default_action             = "Allow"
  ip_rules                   = ["0.0.0.0/0"]
08%20-%20services.tf#L23
resource "azurerm_storage_account_network_rules" "storageaccountnetrules" {
  resource_group_name      = azurerm_resource_group.rg-br-infra-prod.name
  storage_account_name = azurerm_storage_account.storageaccountproddl.name

  default_action             = "Allow"
  #ip_rules                   = ["172.25.0.0/16"]
storage_network_rules.tf#L1
resource "azurerm_storage_account_network_rules" "storage_fw" {
  resource_group_name  = var.rg_name
  storage_account_name = azurerm_storage_account.storage_account.name

  default_action             = "Deny"
  ip_rules                   = var.ip_rules
main.tf#L1
resource "azurerm_storage_account_network_rules" "module" {
  storage_account_name = var.storage_name
  resource_group_name  = var.rg_name

  default_action             = var.storage_net_default_action
  ip_rules                   = var.storage_net_ip_rules
positive.tf#L38
resource "azurerm_storage_account_network_rules" "positive3" {
  resource_group_name  = azurerm_resource_group.test.name
  storage_account_name = azurerm_storage_account.test.name

  default_action             = "Allow"
  ip_rules                   = ["0.0.0.0/0"]

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for azurerm_storage_account_network_rules

There is 1 setting in azurerm_storage_account_network_rules that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure to allow Trusted Microsoft Services to bypass

It is better to allow Trusted Microsoft Services to bypass. They are not able to access storage account unless rules are set to allow them explicitly.

Review your Azure Storage settings

You can check if the azurerm_storage_account_network_rules setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Manages network rules inside of a Azure Storage Account.

NOTE: Network Rules can be defined either directly on the azurerm_storage_account resource, or using the azurerm_storage_account_network_rules resource - but the two cannot be used together. Spurious changes will occur if both are used against the same Storage Account.

NOTE: Only one azurerm_storage_account_network_rules can be tied to an azurerm_storage_account. Spurious changes will occur if more than azurerm_storage_account_network_rules is tied to the same azurerm_storage_account.

NOTE: Deleting this resource updates the storage account back to the default values it had when the storage account was created.

>> from Terraform Registry

Tips: Best Practices for The Other Azure Storage Resources

In addition to the azurerm_storage_account, Azure Storage has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_storage_account

Ensure to use HTTPS connections

It is better to use HTTPS instead of HTTP, which could be vulnerable to person-in-the-middle attacks.

Review your Azure Storage settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Storage/storageAccounts (Azure Resource Manager)

The storageAccounts in Microsoft.Storage can be configured in Azure Resource Manager with the resource name Microsoft.Storage/storageAccounts. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

deploy.json#L52
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2019-06-01",
            "location": "[parameters('location')]",
            "kind": "StorageV2",
            "sku": {
                "name": "[variables('skuName')]",
deploy.json#L52
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2019-06-01",
            "location": "[parameters('location')]",
            "kind": "StorageV2",
            "sku": {
                "name": "[variables('skuName')]",
template.json#L13
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2021-01-01",
            "name": "[parameters('storageAccounts_kohithdiagstrg_name')]",
            "location": "centralus",
            "sku": {
                "name": "Standard_LRS",
cs1100320011af67746.json#L12
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2021-01-01",
      "name": "[parameters('storageAccounts_cs1100320011af67746_name')]",
      "location": "southeastasia",
      "tags": {
        "ms-resource-usage": "azure-cloud-shell"
storage.json#L26
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2020-08-01-preview",
            "name": "[parameters('storageAccountName')]",
            "location": "[parameters('location')]",
            "dependsOn": [
            ],
storageacc.json#L9
        "type": "Microsoft.Storage/storageAccounts",
        "apiVersion": "2019-06-01",
        "name": "veeraprathap465",
        "location": "eastus",
        "sku": {
          "name": "Standard_LRS"
template.json#L13
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2021-04-01",
            "name": "[parameters('storageAccounts_1sinkstorageaccountmgs_name')]",
            "location": "eastus",
            "sku": {
                "name": "Standard_LRS",
deploy.json#L17
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2020-08-01-preview",
      "name": "[parameters('storageAccountName')]",
      "location": "eastus",
      "sku": {
        "name": "Standard_LRS",
template.json#L13
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2019-06-01",
            "name": "[parameters('storageAccounts_sardniceaccountname_name')]",
            "location": "westindia",
            "sku": {
                "name": "Standard_RAGRS",
sa_tpisprod_arm_template.json#L13
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2021-04-01",
            "name": "[parameters('storageAccounts_tpisprod_name')]",
            "location": "eastus",
            "tags": {
                "System Owner": "IA-TPIS",

Parameters

  • apiVersion required - string
  • extendedLocation optional
      • name optional - string

        The name of the extended location.

      • type optional - string

        The type of the extended location.

  • identity optional
      • type required - string

        The identity type.

      • userAssignedIdentities optional - undefined

        Gets or sets a list of key value pairs that describe the set of User Assigned identities that will be used with this storage account. The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here.

  • kind required - string

    Required. Indicates the type of storage account.

  • location required - string

    Required. Gets or sets the location of the resource. This will be one of the supported and registered Azure Geo Regions (e.g. West US, East US, Southeast Asia, etc.). The geo region of a resource cannot be changed once it is created, but if an identical geo region is specified on update, the request will succeed.

  • name required - string

    The name of the storage account within the specified resource group. Storage account names must be between 3 and 24 characters in length and use numbers and lower-case letters only.

  • properties optional
      • accessTier optional - string

        Required for storage accounts where kind = BlobStorage. The access tier used for billing.

      • allowBlobPublicAccess optional - boolean

        Allow or disallow public access to all blobs or containers in the storage account. The default interpretation is true for this property.

      • allowCrossTenantReplication optional - boolean

        Allow or disallow cross AAD tenant object replication. The default interpretation is true for this property.

      • allowSharedKeyAccess optional - boolean

        Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.

      • azureFilesIdentityBasedAuthentication optional
          • activeDirectoryProperties optional
              • azureStorageSid required - string

                Specifies the security identifier (SID) for Azure Storage.

              • domainGuid required - string

                Specifies the domain GUID.

              • domainName required - string

                Specifies the primary domain that the AD DNS server is authoritative for.

              • domainSid required - string

                Specifies the security identifier (SID).

              • forestName required - string

                Specifies the Active Directory forest to get.

              • netBiosDomainName required - string

                Specifies the NetBIOS domain name.

          • defaultSharePermission optional - string

            Default share permission for users using Kerberos authentication if RBAC role is not assigned.

          • directoryServiceOptions required - string

            Indicates the directory service used.

      • customDomain optional
          • name required - string

            Gets or sets the custom domain name assigned to the storage account. Name is the CNAME source.

          • useSubDomainName optional - boolean

            Indicates whether indirect CName validation is enabled. Default value is false. This should only be set on updates.

      • defaultToOAuthAuthentication optional - boolean

        A boolean flag which indicates whether the default authentication is OAuth or not. The default interpretation is false for this property.

      • encryption optional
          • identity optional
              • userAssignedIdentity optional - string

                Resource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account.

          • keySource required - string

            The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Storage, Microsoft.Keyvault.

          • keyvaultproperties optional
              • keyname optional - string

                The name of KeyVault key.

              • keyvaulturi optional - string

                The Uri of KeyVault.

              • keyversion optional - string

                The version of KeyVault key.

          • requireInfrastructureEncryption optional - boolean

            A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest.

          • services optional
              • blob optional
                  • enabled optional - boolean

                    A boolean indicating whether or not the service encrypts the data as it is stored.

                  • keyType optional - string

                    Encryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used.

              • file optional
                  • enabled optional - boolean

                    A boolean indicating whether or not the service encrypts the data as it is stored.

                  • keyType optional - string

                    Encryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used.

              • queue optional
                  • enabled optional - boolean

                    A boolean indicating whether or not the service encrypts the data as it is stored.

                  • keyType optional - string

                    Encryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used.

              • table optional
                  • enabled optional - boolean

                    A boolean indicating whether or not the service encrypts the data as it is stored.

                  • keyType optional - string

                    Encryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used.

      • immutableStorageWithVersioning optional
          • enabled optional - boolean

            A boolean flag which enables account-level immutability. All the containers under such an account have object-level immutability enabled by default.

          • immutabilityPolicy optional
              • allowProtectedAppendWrites optional - boolean

                This property can only be changed for disabled and unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.

              • immutabilityPeriodSinceCreationInDays optional - integer

                The immutability period for the blobs in the container since the policy creation, in days.

              • state optional - string

                The ImmutabilityPolicy state defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allowProtectedAppendWrites property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.

      • isHnsEnabled optional - boolean

        Account HierarchicalNamespace enabled if sets to true.

      • isNfsV3Enabled optional - boolean

        NFS 3.0 protocol support enabled if set to true.

      • keyPolicy optional
          • keyExpirationPeriodInDays required - integer

            The key expiration period in days.

      • largeFileSharesState optional - string

        Allow large file shares if sets to Enabled. It cannot be disabled once it is enabled.

      • minimumTlsVersion optional - string

        Set the minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property.

      • networkAcls optional
          • bypass optional - string

            Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging|Metrics|AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics.

          • defaultAction required - string

            Specifies the default action of allow or deny when no other rules match.

          • ipRules optional array
              • action optional - string

                The action of IP ACL rule.

              • value required - string

                Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed.

          • resourceAccessRules optional array
              • resourceId optional - string

                Resource Id

              • tenantId optional - string

                Tenant Id

          • virtualNetworkRules optional array
              • action optional - string

                The action of virtual network rule.

              • id required - string

                Resource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{groupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}.

              • state optional - string

                Gets the state of virtual network rule.

      • publicNetworkAccess optional - string

        Allow or disallow public network access to Storage Account. Value is optional but if passed in, must be 'Enabled' or 'Disabled'.

      • routingPreference optional
          • publishInternetEndpoints optional - boolean

            A boolean flag which indicates whether internet routing storage endpoints are to be published

          • publishMicrosoftEndpoints optional - boolean

            A boolean flag which indicates whether microsoft routing storage endpoints are to be published

          • routingChoice optional - string

            Routing Choice defines the kind of network routing opted by the user.

      • sasPolicy optional
          • expirationAction required - string

            The SAS expiration action. Can only be Log.

          • sasExpirationPeriod required - string

            The SAS expiration period, DD.HH:MM:SS.

      • supportsHttpsTrafficOnly optional - boolean

        Allows https traffic only to storage service if sets to true. The default value is true since API version 2019-04-01.

  • sku required
      • name required - string
      • tier optional - string
  • tags optional - string

    Gets or sets a list of key value pairs that describe the resource. These tags can be used for viewing and grouping this resource (across resource groups). A maximum of 15 tags can be provided for a resource. Each tag must have a key with a length no greater than 128 characters and a value with a length no greater than 256 characters.

  • type required - string

>> from Azure Resource Manager Documentation

The Other Related Azure Storage Resources

Frequently asked questions

What is Azure Storage Account Network Rules?

Azure Storage Account Network Rules is a resource for Storage of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Storage Account Network Rules?

For Terraform, the drhbigdave/azure_python_func_apps, returntocorp/semgrep-rules and prancer-io/prancer-terramerra source code examples are useful. See the Terraform Example section for further details.

For Azure Resource Manager, the prash280887/GDTools, prashantakhouri/GDTools and kohithreddy/Samples source code examples are useful. See the Azure Resource Manager Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents