Azure Storage Account Network Rules
This page shows how to write Terraform and Azure Resource Manager for Storage Account Network Rules and write them securely.
azurerm_storage_account_network_rules (Terraform)
The Account Network Rules in Storage can be configured in Terraform with the resource name azurerm_storage_account_network_rules
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_storage_account_network_rules" "sa2_rules" {
resource_group_name = azurerm_resource_group.rg1.name
storage_account_name = azurerm_storage_account.sa2.name
default_action = "Deny"
ip_rules = [data.azurerm_key_vault_secret.davids_home_ip.value, data.azurerm_key_vault_secret.shanikas_home_ip.value]
resource "azurerm_storage_account_network_rules" "good_example" {
default_action = "Deny"
ip_rules = ["127.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.test.id]
bypass = ["Metrics"]
}
resource "azurerm_storage_account_network_rules" "SANetRule" {
resource_group_name = var.resource_group_name
storage_account_name = var.storage_account_name
default_action = var.default_action
ip_rules = var.ip_rules
resource "azurerm_storage_account_network_rules" "test" {
resource_group_name = azurerm_resource_group.test.name
storage_account_name = azurerm_storage_account.test.name
default_action = "Allow"
ip_rules = ["127.0.0.1"]
resource "azurerm_storage_account_network_rules" "network_rules" {
resource_group_name = var.resource_group_name
storage_account_name = var.storage_account_name
default_action = var.default_action
ip_rules = var.ip_rules
resource "azurerm_storage_account_network_rules" "positive3" {
resource_group_name = azurerm_resource_group.test.name
storage_account_name = azurerm_storage_account.test.name
default_action = "Allow"
ip_rules = ["0.0.0.0/0"]
resource "azurerm_storage_account_network_rules" "storageaccountnetrules" {
resource_group_name = azurerm_resource_group.rg-br-infra-prod.name
storage_account_name = azurerm_storage_account.storageaccountproddl.name
default_action = "Allow"
#ip_rules = ["172.25.0.0/16"]
resource "azurerm_storage_account_network_rules" "storage_fw" {
resource_group_name = var.rg_name
storage_account_name = azurerm_storage_account.storage_account.name
default_action = "Deny"
ip_rules = var.ip_rules
resource "azurerm_storage_account_network_rules" "module" {
storage_account_name = var.storage_name
resource_group_name = var.rg_name
default_action = var.storage_net_default_action
ip_rules = var.storage_net_ip_rules
resource "azurerm_storage_account_network_rules" "positive3" {
resource_group_name = azurerm_resource_group.test.name
storage_account_name = azurerm_storage_account.test.name
default_action = "Allow"
ip_rules = ["0.0.0.0/0"]
Security Best Practices for azurerm_storage_account_network_rules
There is 1 setting in azurerm_storage_account_network_rules that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure to allow Trusted Microsoft Services to bypass
It is better to allow Trusted Microsoft Services to bypass. They are not able to access storage account unless rules are set to allow them explicitly.
Parameters
-
bypass
optional computed - set of string -
default_action
required - string -
id
optional computed - string -
ip_rules
optional computed - set of string -
resource_group_name
required - string -
storage_account_name
required - string -
virtual_network_subnet_ids
optional computed - set of string -
timeouts
single block
Explanation in Terraform Registry
Manages network rules inside of a Azure Storage Account.
NOTE: Network Rules can be defined either directly on the
azurerm_storage_account
resource, or using theazurerm_storage_account_network_rules
resource - but the two cannot be used together. Spurious changes will occur if both are used against the same Storage Account.NOTE: Only one
azurerm_storage_account_network_rules
can be tied to anazurerm_storage_account
. Spurious changes will occur if more thanazurerm_storage_account_network_rules
is tied to the sameazurerm_storage_account
.NOTE: Deleting this resource updates the storage account back to the default values it had when the storage account was created.
Tips: Best Practices for The Other Azure Storage Resources
In addition to the azurerm_storage_account, Azure Storage has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_storage_account
Ensure to use HTTPS connections
It is better to use HTTPS instead of HTTP, which could be vulnerable to person-in-the-middle attacks.
Microsoft.Storage/storageAccounts (Azure Resource Manager)
The storageAccounts in Microsoft.Storage can be configured in Azure Resource Manager with the resource name Microsoft.Storage/storageAccounts
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"location": "[parameters('location')]",
"kind": "StorageV2",
"sku": {
"name": "[variables('skuName')]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"location": "[parameters('location')]",
"kind": "StorageV2",
"sku": {
"name": "[variables('skuName')]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-01-01",
"name": "[parameters('storageAccounts_kohithdiagstrg_name')]",
"location": "centralus",
"sku": {
"name": "Standard_LRS",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-01-01",
"name": "[parameters('storageAccounts_cs1100320011af67746_name')]",
"location": "southeastasia",
"tags": {
"ms-resource-usage": "azure-cloud-shell"
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2020-08-01-preview",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"dependsOn": [
],
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "veeraprathap465",
"location": "eastus",
"sku": {
"name": "Standard_LRS"
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-04-01",
"name": "[parameters('storageAccounts_1sinkstorageaccountmgs_name')]",
"location": "eastus",
"sku": {
"name": "Standard_LRS",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2020-08-01-preview",
"name": "[parameters('storageAccountName')]",
"location": "eastus",
"sku": {
"name": "Standard_LRS",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccounts_sardniceaccountname_name')]",
"location": "westindia",
"sku": {
"name": "Standard_RAGRS",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-04-01",
"name": "[parameters('storageAccounts_tpisprod_name')]",
"location": "eastus",
"tags": {
"System Owner": "IA-TPIS",
Parameters
apiVersion
required - stringextendedLocation
optionalname
optional - stringThe name of the extended location.
type
optional - stringThe type of the extended location.
identity
optionaltype
required - stringThe identity type.
userAssignedIdentities
optional - undefinedGets or sets a list of key value pairs that describe the set of User Assigned identities that will be used with this storage account. The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here.
kind
required - stringRequired. Indicates the type of storage account.
location
required - stringRequired. Gets or sets the location of the resource. This will be one of the supported and registered Azure Geo Regions (e.g. West US, East US, Southeast Asia, etc.). The geo region of a resource cannot be changed once it is created, but if an identical geo region is specified on update, the request will succeed.
name
required - stringThe name of the storage account within the specified resource group. Storage account names must be between 3 and 24 characters in length and use numbers and lower-case letters only.
properties
optionalaccessTier
optional - stringRequired for storage accounts where kind = BlobStorage. The access tier used for billing.
allowBlobPublicAccess
optional - booleanAllow or disallow public access to all blobs or containers in the storage account. The default interpretation is true for this property.
allowCrossTenantReplication
optional - booleanAllow or disallow cross AAD tenant object replication. The default interpretation is true for this property.
allowSharedKeyAccess
optional - booleanIndicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.
azureFilesIdentityBasedAuthentication
optionalactiveDirectoryProperties
optionalazureStorageSid
required - stringSpecifies the security identifier (SID) for Azure Storage.
domainGuid
required - stringSpecifies the domain GUID.
domainName
required - stringSpecifies the primary domain that the AD DNS server is authoritative for.
domainSid
required - stringSpecifies the security identifier (SID).
forestName
required - stringSpecifies the Active Directory forest to get.
netBiosDomainName
required - stringSpecifies the NetBIOS domain name.
defaultSharePermission
optional - stringDefault share permission for users using Kerberos authentication if RBAC role is not assigned.
directoryServiceOptions
required - stringIndicates the directory service used.
customDomain
optionalname
required - stringGets or sets the custom domain name assigned to the storage account. Name is the CNAME source.
useSubDomainName
optional - booleanIndicates whether indirect CName validation is enabled. Default value is false. This should only be set on updates.
defaultToOAuthAuthentication
optional - booleanA boolean flag which indicates whether the default authentication is OAuth or not. The default interpretation is false for this property.
encryption
optionalidentity
optionaluserAssignedIdentity
optional - stringResource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account.
keySource
required - stringThe encryption keySource (provider). Possible values (case-insensitive): Microsoft.Storage, Microsoft.Keyvault.
keyvaultproperties
optionalkeyname
optional - stringThe name of KeyVault key.
keyvaulturi
optional - stringThe Uri of KeyVault.
keyversion
optional - stringThe version of KeyVault key.
requireInfrastructureEncryption
optional - booleanA boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest.
services
optionalblob
optionalenabled
optional - booleanA boolean indicating whether or not the service encrypts the data as it is stored.
keyType
optional - stringEncryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used.
file
optionalenabled
optional - booleanA boolean indicating whether or not the service encrypts the data as it is stored.
keyType
optional - stringEncryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used.
queue
optionalenabled
optional - booleanA boolean indicating whether or not the service encrypts the data as it is stored.
keyType
optional - stringEncryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used.
table
optionalenabled
optional - booleanA boolean indicating whether or not the service encrypts the data as it is stored.
keyType
optional - stringEncryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used.
immutableStorageWithVersioning
optionalenabled
optional - booleanA boolean flag which enables account-level immutability. All the containers under such an account have object-level immutability enabled by default.
immutabilityPolicy
optionalallowProtectedAppendWrites
optional - booleanThis property can only be changed for disabled and unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.
immutabilityPeriodSinceCreationInDays
optional - integerThe immutability period for the blobs in the container since the policy creation, in days.
state
optional - stringThe ImmutabilityPolicy state defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allowProtectedAppendWrites property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.
isHnsEnabled
optional - booleanAccount HierarchicalNamespace enabled if sets to true.
isNfsV3Enabled
optional - booleanNFS 3.0 protocol support enabled if set to true.
keyPolicy
optionalkeyExpirationPeriodInDays
required - integerThe key expiration period in days.
largeFileSharesState
optional - stringAllow large file shares if sets to Enabled. It cannot be disabled once it is enabled.
minimumTlsVersion
optional - stringSet the minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property.
networkAcls
optionalbypass
optional - stringSpecifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging|Metrics|AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics.
defaultAction
required - stringSpecifies the default action of allow or deny when no other rules match.
ipRules
optional arrayaction
optional - stringThe action of IP ACL rule.
value
required - stringSpecifies the IP or IP range in CIDR format. Only IPV4 address is allowed.
resourceAccessRules
optional arrayresourceId
optional - stringResource Id
tenantId
optional - stringTenant Id
virtualNetworkRules
optional arrayaction
optional - stringThe action of virtual network rule.
id
required - stringResource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{groupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}.
state
optional - stringGets the state of virtual network rule.
publicNetworkAccess
optional - stringAllow or disallow public network access to Storage Account. Value is optional but if passed in, must be 'Enabled' or 'Disabled'.
routingPreference
optionalpublishInternetEndpoints
optional - booleanA boolean flag which indicates whether internet routing storage endpoints are to be published
publishMicrosoftEndpoints
optional - booleanA boolean flag which indicates whether microsoft routing storage endpoints are to be published
routingChoice
optional - stringRouting Choice defines the kind of network routing opted by the user.
sasPolicy
optionalexpirationAction
required - stringThe SAS expiration action. Can only be Log.
sasExpirationPeriod
required - stringThe SAS expiration period, DD.HH:MM:SS.
supportsHttpsTrafficOnly
optional - booleanAllows https traffic only to storage service if sets to true. The default value is true since API version 2019-04-01.
sku
requiredname
required - stringtier
optional - string
tags
optional - stringGets or sets a list of key value pairs that describe the resource. These tags can be used for viewing and grouping this resource (across resource groups). A maximum of 15 tags can be provided for a resource. Each tag must have a key with a length no greater than 128 characters and a value with a length no greater than 256 characters.
type
required - string
Frequently asked questions
What is Azure Storage Account Network Rules?
Azure Storage Account Network Rules is a resource for Storage of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Storage Account Network Rules?
For Terraform, the drhbigdave/azure_python_func_apps, returntocorp/semgrep-rules and prancer-io/prancer-terramerra source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the prash280887/GDTools, prashantakhouri/GDTools and kohithreddy/Samples source code examples are useful. See the Azure Resource Manager Example section for further details.