| title | Set the default public network access rule: Azure Storage |
|---|---|
| description | Configure whether to allow all networks, disable network access, or permit only specific networks to make requests to the storage account's public endpoint. |
| services | storage |
| author | normesta |
| ms.service | azure-storage |
| ms.subservice | storage-common-concepts |
| ms.topic | how-to |
| ms.date | 08/25/2025 |
| ms.author | normesta |
By default, storage accounts accept connections from clients on any network. You can limit access to selected networks or prevent traffic from all networks and permit access only through a private endpoint.
-
Go to the storage account that you want to secure.
-
In the service menu, under Security + networking, select Networking.
-
Select Manage, and then choose the network access that is enabled through the storage account's public endpoint:
-
To allow traffic from all networks, select Enable, and then select Enabled from all networks.
-
To allow traffic only from specific virtual networks, IP address ranges, or specific Azure resources, select Enable, and then select Enabled from selected networks. You are prompted to add virtual networks, IP address ranges, or resource instances.
-
To block traffic from all networks, select Disable.
-
To secure traffic by using a network security perimeter, select Secured by perimeter.
-
-
Select Save to apply your changes.
-
Install Azure PowerShell and sign in.
-
Choose the type of public network access you want to allow:
-
To allow traffic from all networks, use the
Update-AzStorageAccountNetworkRuleSetcommand and set the-DefaultActionparameter toAllow:Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -DefaultAction Allow
-
To allow traffic only from specific virtual networks, use the
Update-AzStorageAccountNetworkRuleSetcommand and set the-DefaultActionparameter toDeny:Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -DefaultAction Deny
[!IMPORTANT] Network rules have no effect unless you set the
-DefaultActionparameter toDeny. However, changing this setting can affect your application's ability to connect to Azure Storage. Be sure to grant access to any allowed networks or set up access through a private endpoint before you change this setting. -
To block traffic from all networks, use the
Set-AzStorageAccountcommand and set the-PublicNetworkAccessparameter toDisabled. Traffic will be allowed only through a private endpoint. You need to create that private endpoint.Set-AzStorageAccount -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -PublicNetworkAccess Disabled
-
[!INCLUDE updated-for-az]
-
Choose the type of public network access you want to allow:
-
To allow traffic from all networks, use the
az storage account updatecommand and set the--default-actionparameter toAllow:az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Allow -
To allow traffic only from specific virtual networks, use the
az storage account updatecommand and set the--default-actionparameter toDeny:az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Deny[!IMPORTANT] Network rules have no effect unless you set the
--default-actionparameter toDeny. However, changing this setting can affect your application's ability to connect to Azure Storage. Be sure to grant access to any allowed networks or set up access through a private endpoint before you change this setting. -
To block traffic from all networks, use the
az storage account updatecommand and set the--public-network-accessparameter toDisabled. Traffic will be allowed only through a private endpoint. You need to create that private endpoint.az storage account update --name MyStorageAccount --resource-group MyResourceGroup --public-network-access Disabled
-
Note
Firewall settings that restrict access to storage services remain in effect for up to a minute after you save settings that allow access.