Network misconfigurations

default network access rule for Storage Accounts is not set to deny

Risk Level

Informational (4)



Access to Storage Account can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.
  • Recommended Mitigation

    under Virtual networks settings, ensure 'Allow' is used for 'Selected networks'. add rules to 'allow traffic' from 'specific network'