Microsoft Azure Documentation

Azure Storage Network Security Tutorials

This tutorial series will guide you through configuring and managing network security for your Azure Storage accounts. Enhancing security is crucial for protecting your data from unauthorized access and ensuring compliance.

Section 1: Understanding Azure Storage Networking

Learn the fundamental networking concepts related to Azure Storage, including public endpoints, private endpoints, and service endpoints. We'll cover how these options impact accessibility and security.

Step 1.1: Public vs. Private Endpoints

Explore the differences between accessing storage accounts via public endpoints (accessible from the internet) and private endpoints (accessible only from your virtual network).

  • Public endpoints: Simplified access, requires firewall configuration.
  • Private endpoints: Enhanced security, provides a dedicated IP address within your VNet.

Step 1.2: Service Endpoints

Understand how service endpoints allow you to restrict access to your storage accounts to specific virtual networks, further enhancing security without the need for private IPs.

Section 2: Configuring Network Firewalls and Virtual Networks

This section focuses on practical steps to secure your storage accounts using Azure's built-in networking features.

Step 2.1: Restricting Access with Firewall Rules

Learn how to configure the firewall for your storage account to allow or deny access from specific IP addresses, address ranges, or virtual networks.

Example: Allowing access from a specific IP address range:


az storage account update \
    --name mystorageaccount \
    --resource-group myresourcegroup \
    --set networkAcls.defaultAction=Deny \
    --add networkAcls.bypass=Logging,Metrics,Azure I P \
    --add networkAcls.ipRules='192.168.1.0/24' \
    --add networkAcls.ipRules='10.0.0.0/16'

Step 2.2: Integrating with Virtual Networks

Discover how to use service endpoints to limit access to your storage account from specific subnets within your Azure virtual network.

Section 3: Implementing Private Endpoints

Dive deeper into setting up private endpoints for the most secure and isolated access to your Azure Storage.

Step 3.1: Creating a Private Endpoint

Follow step-by-step instructions to create a private endpoint for your storage account, associating it with a subnet in your virtual network.

Key considerations:

  • VNet and subnet selection
  • Private DNS zone configuration for name resolution

Step 3.2: Testing Private Endpoint Connectivity

Verify that your private endpoint is correctly configured and accessible from resources within your virtual network.

Section 4: Advanced Security Configurations

Explore additional security features and best practices for Azure Storage networking.

Step 4.1: Using Private Link Service

Learn how to securely expose your storage accounts to other Azure customers or internal teams using Azure Private Link Service.

Step 4.2: Network Security Groups (NSGs) and Storage

Understand how Network Security Groups can be used in conjunction with private endpoints to further refine network traffic control.

By completing these tutorials, you will gain a comprehensive understanding of how to secure your Azure Storage accounts against network-based threats.