Allow Microsoft Service Bypass

Trusted Microsoft Services should have bypass access to Storage accounts

Some Microsoft services that interact with storage accounts operate from networks that can’t be granted access through network rules.

To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules

Impact

Trusted Microsoft Services won’t be able to access storage account unless rules set to allow

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Allow Trusted Microsoft Services to bypass

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30


 resource "azurerm_storage_account" "good_example" {
   name                = "storageaccountname"
   resource_group_name = azurerm_resource_group.example.name
 
   location                 = azurerm_resource_group.example.location
   account_tier             = "Standard"
   account_replication_type = "LRS"
 
   network_rules {
     default_action             = "Deny"
     ip_rules                   = ["100.0.0.1"]
     virtual_network_subnet_ids = [azurerm_subnet.example.id]
     bypass                     = ["Metrics", "AzureServices"]
   }
 
   tags = {
     environment = "staging"
   }
 }
 
 resource "azurerm_storage_account_network_rules" "test" {
   resource_group_name  = azurerm_resource_group.test.name
   storage_account_name = azurerm_storage_account.test.name
 
   default_action             = "Allow"
   ip_rules                   = ["127.0.0.1"]
   virtual_network_subnet_ids = [azurerm_subnet.test.id]
   bypass                     = ["Metrics", "AzureServices"]
 }
 

Trusted Microsoft Services should have bypass access to Storage accounts

Impact

Recommended Actions

Remediation Links

Links