You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/common/storage-network-security-ip-address-range.md
+9-7Lines changed: 9 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
---
2
-
title: Configure Azure Storage to accept requests from IP address ranges
3
-
description: Configure the Azure Storage firewall to accept requests from IP address ranges.
2
+
title: Create an IP network rule for Azure Storage
3
+
description: Learn how to create an IP network rule that enables traffic to an Azure Storage account from IP address ranges.
4
4
services: storage
5
5
author: normesta
6
6
ms.service: azure-storage
@@ -10,11 +10,13 @@ ms.date: 06/18/2025
10
10
ms.author: normesta
11
11
---
12
12
13
-
# Configure the Azure Storage firewall to accept requests from IP address ranges
13
+
# Create an IP network rule for Azure Storage
14
14
15
-
You can deny all public access to your storage account, and then configure Azure network settings to accept requests from specific IP address ranges. To learn more, see [Permit access to IP address ranges](storage-network-security.md#grant-access-from-an-internet-ip-range).
15
+
You can deny all public access to your storage account, and then configure Azure network settings to accept requests from specific IP address ranges. To enable traffic from a specific public IP address ranges, create one or more IP network rules. To learn more, see [Permit access to IP address ranges](storage-network-security.md#grant-access-from-an-internet-ip-range).
16
16
17
-
## [Portal](#tab/azure-portal)
17
+
## Create an IP network rule
18
+
19
+
### [Portal](#tab/azure-portal)
18
20
19
21
1. Go to the storage account for which you want to manage IP network rules.
20
22
@@ -28,7 +30,7 @@ You can deny all public access to your storage account, and then configure Azure
28
30
29
31
6. Select **Save** to apply your changes.
30
32
31
-
## [PowerShell](#tab/azure-powershell)
33
+
###[PowerShell](#tab/azure-powershell)
32
34
33
35
1. Install [Azure PowerShell](/powershell/azure/install-azure-powershell) and [sign in](/powershell/azure/authenticate-azureps).
34
36
@@ -71,7 +73,7 @@ You can deny all public access to your storage account, and then configure Azure
Copy file name to clipboardExpand all lines: articles/storage/common/storage-network-security-virtual-networks.md
+21-9Lines changed: 21 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
---
2
-
title: Configure Azure Storage to accept requests from virtual networks
3
-
description: Learn how to configure Azure Storage to accept requests from virtual networks.
2
+
title: Create a virtual network rule for Azure Storage
3
+
description: Learn how to create a virtual network rule that enables traffic to an Azure Storage account from subnets in an Azure Virtual network.
4
4
services: storage
5
5
author: normesta
6
6
ms.service: azure-storage
@@ -11,13 +11,15 @@ ms.author: normesta
11
11
12
12
---
13
13
14
-
# Configure Azure Storage to accept requests from virtual networks
14
+
# Create a virtual network rule for Azure Storage
15
15
16
-
You can deny all public access to your storage account, and then configure Azure network settings to accept requests that originate from specific virtual network subnets. To learn more, see [Permit access to virtual network subnets](storage-network-security.md#grant-access-from-a-virtual-network).
16
+
You can deny all public access to your storage account, and then configure Azure network settings to accept requests that originate from specific virtual network subnets. To learn more, see [virtual network subnets](storage-network-security.md#grant-access-from-a-virtual-network).
17
17
18
18
To apply a virtual network rule to a storage account, the user must have the appropriate permissions for the subnets that are being added. A [Storage Account Contributor](../../role-based-access-control/built-in-roles.md#storage-account-contributor) or a user who has permission to the `Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action`[Azure resource provider operation](../../role-based-access-control/resource-provider-operations.md#microsoftnetwork) can apply a rule by using a custom Azure role.
19
19
20
-
## [Portal](#tab/azure-portal)
20
+
## Create a virtual network rule
21
+
22
+
### [Portal](#tab/azure-portal)
21
23
22
24
> [!NOTE]
23
25
> If you want to enable access from a virtual network in another Microsoft Entra tenant, you must use PowerShell or the Azure CLI. The Azure portal doesn't show subnets in other Microsoft Entra tenants.
@@ -26,9 +28,19 @@ To apply a virtual network rule to a storage account, the user must have the app
26
28
27
29
2. In the service menu, under **Security + networking**, select **Networking**.
28
30
29
-
3. To allow traffic only from specific virtual networks, make sure that **Enabled from selected virtual networks and IP addresses** is selected.
31
+
3. In the **Firewalls and virtual networks** tab of the network settings page, make sure that **Enabled from selected virtual networks and IP addresses** is selected.
32
+
33
+
4. Under **Virtual networks**, select **Add existing virtual network**.
34
+
35
+
The **Add networks pane** appears.
36
+
37
+
5. From the **Virtual networks** drop-down list, select a virtual network.
38
+
39
+
6. From the **Subnets** drop-down list, select the desired subnets, then select **Add**.
40
+
41
+
6. If you need to create a new virtual network, select **Add new virtual network**. Provide the necessary information to create the new virtual network, and then select **Create**.
30
42
31
-
4. To grant access to a virtual network by using a new network rule, under **Virtual networks**, select **Add existing virtual network**. Select the **Virtual networks** and **Subnets** options, and then select **Add**. To create a new virtual network and grant it access, select **Add new virtual network**. Provide the necessary information to create the new virtual network, and then select **Create**. Currently, only virtual networks that belong to the same Microsoft Entra tenant appear for selection during rule creation. To grant access to a subnet in a virtual network that belongs to another tenant, use PowerShell, the Azure CLI, or REST API.
43
+
Only virtual networks that belong to the same Microsoft Entra tenant appear for selection during rule creation. To grant access to a subnet in a virtual network that belongs to another tenant, use PowerShell, the Azure CLI, or REST API.
32
44
33
45
5. To remove a virtual network or subnet rule, select the ellipsis (**...**) to open the context menu for the virtual network or subnet, and then select **Remove**.
34
46
@@ -37,7 +49,7 @@ To apply a virtual network rule to a storage account, the user must have the app
37
49
> [!IMPORTANT]
38
50
> If you delete a subnet that's included in a network rule, it will be removed from the network rules for the storage account. If you create a new subnet by the same name, it won't have access to the storage account. To allow access, you must explicitly authorize the new subnet in the network rules for the storage account.
39
51
40
-
## [PowerShell](#tab/azure-powershell)
52
+
###[PowerShell](#tab/azure-powershell)
41
53
42
54
1. Install [Azure PowerShell](/powershell/azure/install-azure-powershell) and [sign in](/powershell/azure/authenticate-azureps).
43
55
@@ -78,7 +90,7 @@ To apply a virtual network rule to a storage account, the user must have the app
Copy file name to clipboardExpand all lines: articles/storage/common/storage-network-security.md
+3-2Lines changed: 3 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -34,7 +34,7 @@ The following table describes each type of service endpoint that you can enable
34
34
> [!NOTE]
35
35
> You can associate only one of these endpoint types to a subnet. If one of these endpoints is already associated with the subnet, you'll have to delete that endpoint before adding the other.
36
36
37
-
To learn how to configure a virtual network rule and enable service endpoints, see [Configure Azure Storage to accept requests from virtual networks](storage-network-security-virtual-networks.md).
37
+
To learn how to configure a virtual network rule and enable service endpoints, see [Create a virtual network rule for Azure Storage](storage-network-security-virtual-networks.md).
@@ -51,7 +51,7 @@ When you're planning for disaster recovery during a regional outage, create the
51
51
52
52
For clients and services not located in a virtual network, you can enable traffic by creating *IP network rules*. Each IP network rule can enable traffic from a specific public IP address range. For example, if a client from an on-premises network needs to access storage data, then a rule can include the public IP address of that client. Each storage account supports up to **400** IP network rules.
53
53
54
-
To learn how to create IP network rules, see [Configure the Azure Storage firewall to accept requests from IP address ranges](storage-network-security-ip-address-range.md).
54
+
To learn how to create IP network rules, see [Create an IP network rule for Azure Storage](storage-network-security-ip-address-range.md).
55
55
56
56
If you've enabled a service endpoint for a subnet, then traffic from that subnet won't use a public IP address to communicate with a storage account. Instead, all the traffic uses a private IP address as a source IP. As a result, IP network rules that permit traffic from those subnets no longer have an effect.
57
57
@@ -82,6 +82,7 @@ To learn how to configure a resource instance rule, see [Configure Azure Storage
0 commit comments