Merge pull request #301546 from normesta/network-content-improvement

Network Security Content Overhaul

Author: JamesJBarnett

articles/api-management/api-management-howto-use-managed-service-identity.md

@@ -317,7 +317,7 @@ API Management is a trusted Microsoft service to the following resources. This t
 
 
 - [Trusted access for Key Vault](/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services)
-- [Trusted access for Azure Storage](../storage/common/storage-network-security.md?tabs=azure-portal#trusted-access-based-on-system-assigned-managed-identity)
+- [Trusted access for Azure Storage](../storage/common/storage-network-security-trusted-azure-services.md?tabs=azure-portal#trusted-access-based-on-system-assigned-managed-identity)
 - [Trusted access for Azure Services Bus](../service-bus-messaging/service-bus-ip-filtering.md#trusted-microsoft-services)
 - [Trusted access for Azure Event Hubs](../event-hubs/event-hubs-ip-filtering.md#trusted-microsoft-services)
 

articles/azure-functions/functions-infrastructure-as-code.md

@@ -2020,7 +2020,7 @@ You might also need to use these settings when your function app has network res
 ::: zone pivot="flex-consumption-plan,premium-plan,dedicated-plan" 
 ### Considerations for network restrictions
 
-When you're restricting access to the storage account through the private endpoints, you aren't able to access the storage account through the portal or any device outside the virtual network. You can give access to your secured IP address or virtual network in the storage account by [Managing the default network access rule](../storage/common/storage-network-security.md#change-the-default-network-access-rule).
+When you're restricting access to the storage account through the private endpoints, you aren't able to access the storage account through the portal or any device outside the virtual network. You can give access to your secured IP address or virtual network in the storage account by [Managing the default network access rule](../storage/common/storage-network-security-set-default-access.md).
 ::: zone-end
 ## Function access keys
 

articles/cost-management-billing/costs/tutorial-improved-exports.md

@@ -155,7 +155,7 @@ A system-assigned managed identity is created for a new job export when created
 > - When a user updates destination details or deletes an export, the *StorageBlobDataContributor* role assigned to the managed identity is automatically removed. To enable the system to remove the role assignment, the user must have `microsoft.Authorization/roleAssignments/delete` permissions. If the permissions aren't available, the user needs to manually remove the role assignment on the managed identity.
 > - Currently, firewalls are supported for storage accounts in the same tenant. However, firewalls on storage accounts aren't supported for cross-tenant exports.
 
-Add exports to the list of trusted services. For more information, see [Trusted access based on a managed identity](../../storage/common/storage-network-security.md#trusted-access-based-on-a-managed-identity).
+Add exports to the list of trusted services. For more information, see [Trusted access based on a managed identity](../../storage/common/storage-network-security-trusted-azure-services.md#trusted-access-based-on-a-managed-identity).
 
 ## Manage exports
 

articles/data-factory/data-access-strategies.md

@@ -95,5 +95,5 @@ For more information about supported network security mechanisms on data stores
 For more information, see the following related articles:
 * [Supported data stores](./copy-activity-overview.md#supported-data-stores-and-formats)
 * [Azure Key Vault ‘Trusted Services’](/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services)
-* [Azure Storage ‘Trusted Microsoft Services’](../storage/common/storage-network-security.md#trusted-microsoft-services)
+* [Azure Storage ‘Trusted Microsoft Services’](../storage/common/storage-network-security-trusted-azure-services.md#trusted-microsoft-services)
 * [Managed identity for Data Factory](./data-factory-service-identity.md)

articles/data-share/security.md

@@ -26,7 +26,7 @@ Once a share is created or received, users with proper permission to the Data Sh
 
 ## Share data from or to data stores with firewall enabled
 
-To share data from or to storage accounts with firewall turned on, you need to enable **Allow trusted Microsoft services** in your storage account. See [Configure Azure Storage firewalls and virtual networks](../storage/common/storage-network-security.md#trusted-microsoft-services) for details.
+To share data from or to storage accounts with firewall turned on, you need to enable **Allow trusted Microsoft services** in your storage account. See [Configure Azure Storage firewalls and virtual networks](../storage/common/storage-network-security-trusted-azure-services.md#trusted-microsoft-services) for details.
 
 ## Related content
 

articles/remote-rendering/how-tos/create-an-account.md

@@ -74,7 +74,7 @@ The value for **`arrAccountKey`** can either be primary or secondary key.
 
 This paragraph explains how to link storage accounts to your Remote Rendering account. With a linked account, it isn't necessary anymore to generate a SAS URI every time you want to interact with the data in your account. Instead, you can use the storage account names directly as described in the [loading a model section](../concepts/models.md#loading-models).
 
-Another advantage of this approach is that the storage access level can be limited to private endpoints as described in the [Azure documentation how to configure Storage firewalls and virtual networks](../../storage/common/storage-network-security.md#change-the-default-network-access-rule). Loading from blob storage through a SAS token on the other hand only works if the blob storage has been configured with the "Enabled from all networks" option.
+Another advantage of this approach is that the storage access level can be limited to private endpoints as described in the [Azure documentation how to configure Storage firewalls and virtual networks](../../storage/common/storage-network-security-set-default-access.md). Loading from blob storage through a SAS token on the other hand only works if the blob storage has been configured with the "Enabled from all networks" option.
 
 The steps in this paragraph have to be performed for each storage account that should use this access method. If you haven't created storage accounts yet, you can walk through the respective step in the [convert a model for rendering quickstart](../quickstarts/convert-model.md#storage-account-creation).
 

articles/remote-rendering/resources/troubleshoot.md

@@ -26,7 +26,7 @@ Sometimes during [linking of a storage account](../how-tos/create-an-account.md#
 
 ## Cannot load model through a SAS token
 
-If the client application fails to load a model from storage through a valid SAS-token, it might be caused by the [public network access level](../../storage/common/storage-network-security.md#change-the-default-network-access-rule) configured on the blob storage. Loading an ARR model from SAS token only works if it has been configured with the "Enabled from all networks" option:
+If the client application fails to load a model from storage through a valid SAS-token, it might be caused by the [public network access level](../../storage/common/storage-network-security-set-default-access.md) configured on the blob storage. Loading an ARR model from SAS token only works if it has been configured with the "Enabled from all networks" option:
 ![Screenshot of Azure portal settings for public network access level on blob storage.](./media/portal-blob-access-restrictions.png)
 
 If limiting to private endpoints is a requirement, the [storage account must be linked](../how-tos/create-an-account.md#link-storage-accounts) and the model must be loaded through the non-SAS code path as [described here](../tutorials/unity/security/security.md#securing-your-content-in-azure-blob-storage).

articles/storage/blobs/TOC.yml

@@ -301,28 +301,50 @@ items:
         href: storage-encrypt-decrypt-blobs-key-vault.md
     - name: Networking
       items:
-      - name: Require secure transfer
-        href: ../common/storage-require-secure-transfer.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json
-      - name: Configure firewalls and virtual networks
-        href: ../common/storage-network-security.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json
-      - name: Use Azure Private Endpoints
+      - name: Network security
+        href: ../common/storage-network-security-overview.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json
+      - name: Private endpoints
         href: ../common/storage-private-endpoints.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json
-      - name: Restrict scope of copy operations
-        href: ../common/security-restrict-copy-operations.md?toc=/azure/storage/blobs/toc.json
-      - name: Manage Transport Layer Security (TLS)
+      - name: Public endpoint
+        items:
+        - name: Default access level
+          href: ../common/storage-network-security-set-default-access.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json
+        - name: Firewall rules
+          items:
+          - name: Firewall rules
+            href: ../common/storage-network-security.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json
+          - name: Guidelines and limitations
+            href: ../common/storage-network-security-limitations.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json
+          - name: Virtual network rules
+            href: ../common/storage-network-security-virtual-networks.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json
+          - name: IP network rules
+            href: ../common/storage-network-security-ip-address-range.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json
+          - name: Resource instance rules
+            href: ../common/storage-network-security-resource-instances.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json
+          - name: Network rule exceptions
+            href: ../common/storage-network-security-manage-exceptions.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json
+          - name: Trusted Azure services
+            href: ../common/storage-network-security-trusted-azure-services.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json
+        - name: Network security perimeter
+          href: ../common/storage-network-security-perimeter.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json
+      - name: Transport Layer Security
         items:
-        - name: Enforce minimum TLS version for incoming requests
+        - name: Require secure transfer
+          href: ../common/storage-require-secure-transfer.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json
+        - name: Enforce minimum TLS version
           href: ../common/transport-layer-security-configure-minimum-version.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json
-        - name: Configure TLS version for a client application
+        - name: Configure TLS version for a client
           href: ../common/transport-layer-security-configure-client-version.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json
         - name: Migrate to TLS 1.2
           href: ../common/transport-layer-security-configure-migrate-to-TLS2.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json
-      - name: Network routing preference
+      - name: Network routing
         href: ../common/network-routing-preference.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json
         items:
         - name: Configure network routing preference
           href: ../common/configure-network-routing-preference.md?toc=/azure/storage/blobs/toc.json
-      - name: Use a custom domain
+      - name: Copy operation scopes
+        href: ../common/security-restrict-copy-operations.md?toc=/azure/storage/blobs/toc.json
+      - name: Custom domains
         href: storage-custom-domain-name.md
     - name: Authorization
       items:

articles/storage/common/storage-network-security-ip-address-range.md

@@ -0,0 +1,123 @@
+---
+title: Create an IP network rule for Azure Storage
+description: Learn how to create an IP network rule that enables traffic to an Azure Storage account from IP address ranges.
+services: storage
+author: normesta
+ms.service: azure-storage
+ms.subservice: storage-common-concepts
+ms.topic: how-to
+ms.date: 06/18/2025
+ms.author: normesta
+---
+
+# Create an IP network rule for Azure Storage
+
+You can deny all public access to your storage account and then configure Azure network settings to accept requests from specific IP address ranges. To enable traffic from specific public IP address ranges, create one or more IP network rules. To learn more, see [Permit access to IP address ranges](storage-network-security.md#grant-access-from-an-internet-ip-range).
+
+## Create an IP network rule
+
+### [Portal](#tab/azure-portal)
+
+1. Go to the storage account for which you want to manage IP network rules.
+
+2. In the service menu, under **Security + networking**, select **Networking**.
+
+3. To allow traffic from IP address ranges, make sure that **Enabled from selected virtual networks and IP addresses** is selected.
+
+4. To grant access to an internet IP range, enter the IP address or address range (in CIDR format) under **Firewall** > **Address Range**.
+
+5. To remove an IP network rule, select the delete icon (:::image type="icon" source="media/storage-network-security/delete-icon.png":::) next to the address range.
+
+6. Select **Save** to apply your changes.
+
+### [PowerShell](#tab/azure-powershell)
+
+1. Install [Azure PowerShell](/powershell/azure/install-azure-powershell) and [sign in](/powershell/azure/authenticate-azureps).
+
+2. To allow traffic from IP address ranges, use the `Update-AzStorageAccountNetworkRuleSet` command and set the `-DefaultAction` parameter to `Deny`:
+
+   ```powershell
+   Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -DefaultAction Deny
+   ```
+
+   > [!IMPORTANT]
+   > Network rules have no effect unless you set the `-DefaultAction` parameter to `Deny`. However, changing this setting can affect your application's ability to connect to Azure Storage. Be sure to grant access to any allowed networks or set up access through a private endpoint before you change this setting.
+
+3. List IP network rules:
+
+    ```powershell
+    (Get-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount").IPRules
+    ```
+
+4. Add a network rule for an individual IP address:
+
+    ```powershell
+    Add-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.19"
+    ```
+
+5. Add a network rule for an IP address range:
+
+    ```powershell
+    Add-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.0/24"
+    ```
+
+6. Remove a network rule for an individual IP address:
+
+    ```powershell
+    Remove-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.19"
+    ```
+
+7. Remove a network rule for an IP address range:
+
+    ```powershell
+    Remove-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.0/24"
+    ```
+
+### [Azure CLI](#tab/azure-cli)
+
+1. Install the [Azure CLI](/cli/azure/install-azure-cli) and [sign in](/cli/azure/authenticate-azure-cli).
+
+2. To allow traffic from IP address ranges, use the `az storage account update` command and set the `--default-action` parameter to `Deny`:
+
+   ```azurecli
+   az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Deny
+   ```
+
+   > [!IMPORTANT]
+   > Network rules have no effect unless you set the `--default-action` parameter to `Deny`. However, changing this setting can affect your application's ability to connect to Azure Storage. Be sure to grant access to any allowed networks or set up access through a private endpoint before you change this setting.
+
+3. List IP network rules:
+
+    ```azurecli
+    az storage account network-rule list --resource-group "myresourcegroup" --account-name "mystorageaccount" --query ipRules
+    ```
+
+4. Add a network rule for an individual IP address:
+
+    ```azurecli
+    az storage account network-rule add --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.19"
+    ```
+
+5. Add a network rule for an IP address range:
+
+    ```azurecli
+    az storage account network-rule add --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.0/24"
+    ```
+
+6. Remove a network rule for an individual IP address:
+
+    ```azurecli
+    az storage account network-rule remove --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.19"
+    ```
+
+7. Remove a network rule for an IP address range:
+
+    ```azurecli
+    az storage account network-rule remove --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.0/24"
+    ```
+
+---
+
+## See also
+
+- [Azure Storage firewall and virtual network rules](storage-network-security.md)