Configuring Azure Storage Firewalls and Virtual Networks

This configuration is needed to secure access to your Azure Storage accounts, allowing only authorised traffic from specific networks or trusted Azure services to access your storage resources. 

By default, storage accounts accept connections from any network. Configuring firewalls and virtual networks help to restrict this to specific network or IP ranges.

Firewall rules can be set up to allow access from specified public IP addresses or IP ranges. While virtual network can be used to limit access to storage accounts to selected subnets within an Azure virtual network.

Create or Select an Azure Storage Account

• In the Azure portal, navigate to Storage Accounts, here you can select and already existing account or create a new one.

Configuring Firewall Settings

• In the selected storage account, navigate to Security + networking
• In the Networking section you will find Firewalls and virtual networks options you can configure.

Setting up Firewall Rule

Here you can allow access from selected networks and trusted Azure services.

• In Firewalls and virtual networks options,
• Select Enabled from selected virtual networks and IP addresses
• Under Firewall settings, check Add your client IP address ('xxx.xxx.xxx.xxx')
• Enter your client IP address or CIDR in the text box
• Keep adding if you have more IP addresses or ranges that require access.

There is an option to "Allow Azure services on the trusted services list to access this storage account." eg. Azure Backup, Azure DevOps. This is useful when these services need to interact with your storage account without adding specific IP address.

Configuring Virtual Network Rules

To grant access to a virtual network, in the virtual networks section, ensure that the virtual network is in the same region as the storage account, or use global virtual network rule for virtual networks in different region

• Click Add existing virtual network (you can Add new virtual network if none exist)
• Select the virtual network and subnet from which you want to allow access. The storage account will only accept traffic from this subnet.

Additionally, you can set up monitoring to track access and detect any unauthorised attempts to access the storage account.