Azure default network access for Storage Account is allowed

ID

azure_default_network_access

Severity

low

Vendor

Azure

Resource

Network

Tags

reachable

Description

Azure default network access for Storage Account is allowed. By default, the azure default network can access to storage account from all IPs. To avoid this and restrict the access the network_acls.default_action property must be Deny.

Learn more about this topic at Azure Storage Account ACLs default action

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: configure firewall and virtual networks
      azure_rm_storageaccount:
        resource_group: myResourceGroup
        name: clh0002
        type: Standard_RAGRS
        network_acls:
          bypass: AzureServices,Metrics
          default_action: Allow
          ip_rules:
            - value: 1.2.3.4
              action: Deny
            - value: 123.234.123.0/24
              action: Deny

Mitigation / Fix

- name: Example playbook
  hosts: localhost
  tasks:
    - name: configure firewall and virtual networks
      azure_rm_storageaccount:
        resource_group: myResourceGroup
        name: clh0002
        type: Standard_RAGRS
        network_acls:
          bypass: AzureServices,Metrics
          default_action: Deny
          virtual_network_rules:
            - id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
              action: Allow
          ip_rules:
            - value: 1.2.3.4
              action: Allow
            - value: 123.234.123.0/24
              action: Allow