Skip to content

storage-network-security-ip-address-range.md

Latest commit

 

History

History
121 lines (79 loc) · 5.08 KB

storage-network-security-ip-address-range.md

File metadata and controls

121 lines (79 loc) · 5.08 KB
title Create an IP network rule for Azure Storage
description Learn how to create an IP network rule that enables traffic to an Azure Storage account from IP address ranges.
services storage
author normesta
ms.service azure-storage
ms.subservice storage-common-concepts
ms.topic how-to
ms.date 08/25/2025
ms.author normesta

Create an IP network rule for Azure Storage

You can deny all public access to your storage account and then configure Azure network settings to accept requests from specific IP address ranges. To enable traffic from specific public IP address ranges, create one or more IP network rules. To learn more, see Permit access to IP address ranges.

Create an IP network rule

Portal

  1. Go to the storage account for which you want to manage IP network rules.

  2. In the service menu, under Security + networking, select Networking, and then under Resource settings: Virtual networks, IP addresses, and exceptions, select View.

  3. To grant access to an internet IP range, in the box which contains the placeholder text IPv4 address or CIDR, enter the IP address or address range (in CIDR format).

  4. To remove an IP network rule, select the delete icon (:::image type="icon" source="media/storage-network-security/delete-icon.png":::) next to the address range.

  5. Select Save to apply your changes.

PowerShell

  1. Install Azure PowerShell and sign in.

  2. To allow traffic from IP address ranges, use the Update-AzStorageAccountNetworkRuleSet command and set the -DefaultAction parameter to Deny:

    Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -DefaultAction Deny

    [!IMPORTANT] Network rules have no effect unless you set the -DefaultAction parameter to Deny. However, changing this setting can affect your application's ability to connect to Azure Storage. Be sure to grant access to any allowed networks or set up access through a private endpoint before you change this setting.

  3. List IP network rules:

    (Get-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount").IPRules

  4. Add a network rule for an individual IP address:

    Add-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.19"

  5. Add a network rule for an IP address range:

    Add-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.0/24"

  6. Remove a network rule for an individual IP address:

    Remove-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.19"

  7. Remove a network rule for an IP address range:

    Remove-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.0/24"

Azure CLI

  1. Install the Azure CLI and sign in.

  2. To allow traffic from IP address ranges, use the az storage account update command and set the --default-action parameter to Deny:

    az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Deny

    [!IMPORTANT] Network rules have no effect unless you set the --default-action parameter to Deny. However, changing this setting can affect your application's ability to connect to Azure Storage. Be sure to grant access to any allowed networks or set up access through a private endpoint before you change this setting.

  3. List IP network rules:

    az storage account network-rule list --resource-group "myresourcegroup" --account-name "mystorageaccount" --query ipRules

  4. Add a network rule for an individual IP address:

    az storage account network-rule add --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.19"

  5. Add a network rule for an IP address range:

    az storage account network-rule add --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.0/24"

  6. Remove a network rule for an individual IP address:

    az storage account network-rule remove --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.19"

  7. Remove a network rule for an IP address range:

    az storage account network-rule remove --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.0/24"

See also