Trusted Microsoft Services should have bypass access to Storage accounts
Some Microsoft services that interact with storage accounts operate from networks that can’t be granted access through network rules.
To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules
Impact
Trusted Microsoft Services won’t be able to access storage account unless rules set to allow
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Allow Trusted Microsoft Services to bypass
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
resource "azurerm_storage_account" "good_example" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
network_rules {
default_action = "Deny"
ip_rules = ["100.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.example.id]
bypass = ["Metrics", "AzureServices"]
}
tags = {
environment = "staging"
}
}
resource "azurerm_storage_account_network_rules" "test" {
resource_group_name = azurerm_resource_group.test.name
storage_account_name = azurerm_storage_account.test.name
default_action = "Allow"
ip_rules = ["127.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.test.id]
bypass = ["Metrics", "AzureServices"]
}
|
Links