Revisions to articles

normesta · normesta · commit c7c67559a038 · 2025-06-25T09:31:22.000-07:00
diff --git a/articles/storage/common/storage-network-security-set-default-access.md b/articles/storage/common/storage-network-security-set-default-access.md
@@ -10,7 +10,7 @@ ms.date: 06/18/2025
 ms.author: normesta
 ---
 
-# Set the default public network access rule of an Azure Storage account
+# Set the default public network access rule of a Azure Storage account
 
 By default, storage accounts accept connections from clients on any network. You can limit access to selected networks *or* prevent traffic from all networks and permit access only through a [private endpoint](storage-private-endpoints.md).
 
diff --git a/articles/storage/common/storage-network-security.md b/articles/storage/common/storage-network-security.md
@@ -1,6 +1,6 @@
 ---
 title: Azure Storage firewall and virtual network rules
-description: Configure layered network security for your storage account by using the Azure Storage firewall.
+description: Learn about settings that you can use to secure traffic to the public endpoints of your Azure Storage account.
 services: storage
 author: normesta
 ms.service: azure-storage
@@ -13,16 +13,21 @@ ms.author: normesta
 
 # Azure Storage firewall and virtual network rules
 
-You can disable public network access to your storage account, and permit traffic only if it originates from sources that you specify. Sources can include [Azure Virtual Network](../../virtual-network/virtual-networks-overview.md) subnets, public IP address ranges, specific Azure resource instances or traffic from trusted Azure services. Clients that make requests from allowed sources must also meet the authorization requirements of the storage account. To learn more about account authorization, see [Authorize access to data in Azure Storage](../common/authorize-data-access.md).
+You can disable public network access to your storage account and permit traffic only if it originates from sources that you specify. Sources can include [Azure Virtual Network](../../virtual-network/virtual-networks-overview.md) subnets, public IP address ranges, specific Azure resource instances, or traffic from trusted Azure services. 
+
+> [!NOTE]
+> Clients that make requests from allowed sources must also meet the authorization requirements of the storage account. To learn more about account authorization, see [Authorize access to data in Azure Storage](../common/authorize-data-access.md).
 
 <a id="grant-access-from-a-virtual-network"></a>
 <a id="azure-storage-cross-region-service-endpoints"></a>
 
-## Virtual network subnets
+## Virtual network rules
+
+You can enable traffic from subnets in any Azure Virtual Network. The virtual network can be from any subscription within any Microsoft Entra tenant across any Azure region. To enable traffic to a subnet, add a *virtual network rule*. You can add up to 400 of them in a storage account.
 
-You can enable traffic from subnets in any Azure Virtual network in any subscription from any Microsoft Entra tenant in any Azure region. Create a *virtual network rule* for each subnet. Each storage account supports up to **400** virtual network rules.  
+In the settings of the subnet's virtual network, you must also enable a Virtual Network *service endpoint*. That endpoint is specifically designed to provide secure and direct connectivity to your storage account. 
 
-Creating a virtual network rule is only one part of what is required to enable traffic from a virtual network. In the settings of the virtual network, you must enable a Virtual Network *service endpoint* that is specifically designed to provide secure and direct connectivity to your storage account. If you create network rules by using the Azure portal, then these service endpoints are created for you as you choose each target subnet. PowerShell and Azure CLI provide commands that you can run to create them. To learn more about service endpoints, see [Virtual Network service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md). 
+When you create network rules using the Azure portal, these service endpoints are automatically created as you select each target subnet. PowerShell and Azure CLI provide commands that you can run to create them manually. To learn more about service endpoints, see [Virtual Network service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md).
 
 The following table describes each type of service endpoint that you can enable for Azure Storage:
 
@@ -32,49 +37,49 @@ The following table describes each type of service endpoint that you can enable
 | Azure Storage cross-region service endpoint | Microsoft.Storage.Global | Provides connectivity to storage accounts in **any region**.                             |
 
 > [!NOTE]
-> You can associate only one of these endpoint types to a subnet. If one of these endpoints is already associated with the subnet, you'll have to delete that endpoint before adding the other. 
+> You can associate only one of these endpoint types with a subnet. If one of these endpoints is already associated with the subnet, you must delete that endpoint before adding the other. 
 
 To learn how to configure a virtual network rule and enable service endpoints, see [Create a virtual network rule for Azure Storage](storage-network-security-virtual-networks.md).
 
 <a id="grant-access-from-an-internet-ip-range"></a>
 <a id="managing-ip-network-rules"></a>
 
-### Paired regions
+### Access from a paired region
 
 Service endpoints also work between virtual networks and service instances in a [paired region](../../best-practices-availability-paired-regions.md).
 
-Configuring service endpoints between virtual networks and service instances in a [paired region](../../best-practices-availability-paired-regions.md) can be an important part of your disaster recovery plan. Service endpoints allow continuity during a regional failover and access to read-only geo-redundant storage (RA-GRS) instances. Virtual network rules that grant access from a virtual network to a storage account also grant access to any RA-GRS instance.
+Configuring service endpoints between virtual networks and service instances in a [paired region](../../best-practices-availability-paired-regions.md) can be an important part of your disaster recovery plan. Service endpoints enable continuity during a regional failover and provide access to read-only geo-redundant storage (RA-GRS) instances. Virtual network rules that grant access from a virtual network to a storage account also grant access to any RA-GRS instance.
 
-When you're planning for disaster recovery during a regional outage, create the virtual networks in the paired region in advance. Enable service endpoints for Azure Storage, with network rules granting access from these alternative virtual networks. Then apply these rules to your geo-redundant storage accounts.
+When planning for disaster recovery during a regional outage, create the virtual networks in the paired region in advance. Enable service endpoints for Azure Storage with network rules that grant access from these alternative virtual networks. Then apply these rules to your geo-redundant storage accounts.
 
-## IP address ranges
+## IP network rules
 
-For clients and services not located in a virtual network, you can enable traffic by creating *IP network rules*. Each IP network rule can enable traffic from a specific public IP address range. For example, if a client from an on-premises network needs to access storage data, then a rule can include the public IP address of that client. Each storage account supports up to **400** IP network rules. 
+For clients and services not located in a virtual network, you can enable traffic by creating *IP network rules*. Each IP network rule enables traffic from a specific public IP address range. For example, if a client from an on-premises network needs to access storage data, you can create a rule that includes the public IP address of that client. Each storage account supports up to **400** IP network rules. 
 
 To learn how to create IP network rules, see [Create an IP network rule for Azure Storage](storage-network-security-ip-address-range.md).
 
-If you've enabled a service endpoint for a subnet, then traffic from that subnet won't use a public IP address to communicate with a storage account. Instead, all the traffic uses a private IP address as a source IP. As a result, IP network rules that permit traffic from those subnets no longer have an effect.
+If you've enabled a service endpoint for a subnet, traffic from that subnet won't use a public IP address to communicate with a storage account. Instead, all traffic uses a private IP address as the source IP. As a result, IP network rules that permit traffic from those subnets no longer have an effect.
 
 > [!IMPORTANT]
 > Some restrictions apply to IP address ranges. For a list of restrictions, see [Restrictions for IP network rules](storage-network-security-limitations.md#restrictions-for-ip-network-rules).
 
 <a id="configuring-access-from-on-premises-networks"></a>
 
-### Configuring access from on-premises networks
+### Access from an on-premises network
 
-To grant access from your on-premises networks to your storage account by using an IP network rule, you must identify the internet-facing IP addresses that your network uses. Contact your network administrator for help.
+You can enable traffic from an on-premises network by using an IP network rule. First, you must identify the internet-facing IP addresses that your network uses. Contact your network administrator for help.
 
-If you're using [Azure ExpressRoute](../../expressroute/expressroute-introduction.md) from your premises, you need to identify the NAT IP addresses used for Microsoft peering. Either the service provider or the customer provides the NAT IP addresses.
+If you're using [Azure ExpressRoute](../../expressroute/expressroute-introduction.md) from your premises, you need to identify the NAT IP addresses used for Microsoft peering. The service provider or the customer provides the NAT IP addresses.
 
 To allow access to your service resources, you must allow these public IP addresses in the firewall setting for resource IPs.
 
 <a id="grant-access-from-azure-resource-instances"></a>
 
-## Azure resource instances
+## Azure resource instance rules
 
-Some Azure resources can't be isolated through a virtual network or IP address rule. You can enable traffic from those resources by creating a *resource instance network rule*. The Azure role assignments of the resource instance determine the types of operations that a resource instance can perform on storage account data. Resource instances must be from the same tenant as your storage account, but they can belong to any subscription in the tenant.
+Some Azure resources can't be isolated through a virtual network or IP address rule. You can enable traffic from those resources by creating a *resource instance network rule*. The Azure role assignments of the resource instance determine the types of operations that the resource instance can perform on storage account data. Resource instances must be from the same tenant as your storage account, but they can belong to any subscription in the tenant.
 
-To learn how to configure a resource instance rule, see [Create an resource instance network rule for Azure Storage](storage-network-security-resource-instances.md).
+To learn how to configure a resource instance rule, see [Create a resource instance network rule for Azure Storage](storage-network-security-resource-instances.md).
 
 <a id="grant-access-to-trusted-azure-services"></a>
 <a id="manage-exceptions"></a>
@@ -84,9 +89,9 @@ To learn how to configure a resource instance rule, see [Create an resource inst
 <a id="trusted-access-based-on-a-managed-identity"></a>
 <a id="trusted-access-for-resources-registered-in-your-microsoft-entra-tenant"></a>
 
-## Trusted Azure services
+## Exceptions for trusted Azure services
 
-If you need to enable traffic from an Azure service outside of the network boundary, you can add a *network security exception*. This can be useful in cases where an Azure service operates from a network that you can't include in your virtual network or IP network rules. For example, some services might need to read resource logs and metrics in your account. You can allow read access for the log files, metrics tables, or both by creating a network rule exception. These services connect to your storage account by using strong authentication.
+If you need to enable traffic from an Azure service outside of the network boundary, you can add a *network security exception*. This can be useful when an Azure service operates from a network that you can't include in your virtual network or IP network rules. For example, some services might need to read resource logs and metrics in your account. You can allow read access for the log files, metrics tables, or both by creating a network rule exception. These services connect to your storage account using strong authentication.
 
 To learn more about how to add a network security exception, see [Manage network security exceptions](storage-network-security-manage-exceptions.md).
 
