Access to storage accounts with firewall and VNet config should be restricted
HIGH
Ensures storage accounts have firewall rules and VNet restrictions configured to limit network access.
What does this mean?
This recommendation ensures that Azure Storage accounts are not accessible from all networks by default. Firewall rules and virtual network service endpoints or private endpoints should be configured to restrict access.
Benefits of implementation
- Prevents unauthorized access from unknown networks
- Reduces the attack surface of storage accounts
- Required by multiple compliance frameworks
Drawbacks and considerations
- Requires identifying and whitelisting all legitimate access sources
- May break existing integrations that rely on public access
- CI/CD pipelines and tools may need explicit network rules
Implementation
Implementation guidance coming soon.
Related recommendations
Related recommendations will be linked here.
Frameworks
Details
- Risk Level
- HIGH
- Category
- Storage Security
- Azure Resource
- Frameworks
- 1 frameworks
- Last updated
- 2026-02-12