You can deny all public access to your storage account and then configure Azure network settings to accept requests from specific IP address ranges. To enable traffic from specific public IP address ranges, create one or more IP network rules. To learn more, see Permit access to IP address ranges.
Create an IP network rule
Go to the storage account for which you want to manage IP network rules.
In the service menu, under Security + networking, select Networking.
To allow traffic from IP address ranges, make sure that Enabled from selected virtual networks and IP addresses is selected.
To grant access to an internet IP range, enter the IP address or address range (in CIDR format) under Firewall > Address Range.
To remove an IP network rule, select the delete icon (
) next to the address range.
Select Save to apply your changes.
Install Azure PowerShell and sign in.
To allow traffic from IP address ranges, use the Update-AzStorageAccountNetworkRuleSet command and set the -DefaultAction parameter to Deny:
Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -DefaultAction Deny
Important
Network rules have no effect unless you set the -DefaultAction parameter to Deny. However, changing this setting can affect your application's ability to connect to Azure Storage. Be sure to grant access to any allowed networks or set up access through a private endpoint before you change this setting.
List IP network rules:
(Get-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount").IPRules
Add a network rule for an individual IP address:
Add-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.19"
Add a network rule for an IP address range:
Add-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.0/24"
Remove a network rule for an individual IP address:
Remove-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.19"
Remove a network rule for an IP address range:
Remove-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.0/24"
Install the Azure CLI and sign in.
To allow traffic from IP address ranges, use the az storage account update command and set the --default-action parameter to Deny:
az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Deny
Important
Network rules have no effect unless you set the --default-action parameter to Deny. However, changing this setting can affect your application's ability to connect to Azure Storage. Be sure to grant access to any allowed networks or set up access through a private endpoint before you change this setting.
List IP network rules:
az storage account network-rule list --resource-group "myresourcegroup" --account-name "mystorageaccount" --query ipRules
Add a network rule for an individual IP address:
az storage account network-rule add --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.19"
Add a network rule for an IP address range:
az storage account network-rule add --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.0/24"
Remove a network rule for an individual IP address:
az storage account network-rule remove --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.19"
Remove a network rule for an IP address range:
az storage account network-rule remove --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.0/24"
See also