Storage accounts should restrict network access using VNet rules
HIGH
Ensures storage accounts restrict network access using virtual network rules instead of allowing all networks.
What does this mean?
This recommendation ensures that Azure Storage accounts use VNet service endpoints or private endpoints to restrict which networks can access the storage account, rather than allowing access from all networks.
Benefits of implementation
- Restricts storage access to known, trusted networks
- Reduces the attack surface of storage accounts
- Supports zero-trust network architecture
Drawbacks and considerations
- All legitimate access sources must be explicitly allowed
- Service endpoints need configuration per subnet
- Some Azure services may need exceptions via trusted service bypass
Implementation
Implementation guidance coming soon.
Related recommendations
Related recommendations will be linked here.
Frameworks
Details
- Risk Level
- HIGH
- Category
- Storage Security
- Azure Resource
- Frameworks
- 1 frameworks
- Last updated
- 2026-02-12