Menu
I have the following ARM template to generate an storage account and add existing virtual networks:
{
"name": "test0deep0123",
"type": "Microsoft.Storage/storageAccounts",
"location": "West Europe",
"apiVersion": "2018-11-01",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"firewallState": "Enabled",
"virtualNetworkRules": [
{
"properties": {
"subnetId": "subnetid"
},
"name": "name"
},
{
"properties": {
"subnetId": "subnetId"
},
"name": "name"
},
{
"properties": {
"subnetId": "subnetid"
},
"name": "name"
},
{
"properties": {
"subnetId": "subnetid"
},
"name": "name"
},
{
"properties": {
"subnetId": "subnetid"
},
"name": "name"
},
{
"properties": {
"subnetId": subnetid"
},
"name": "name"
},
{
"properties": {
"subnetId": "subnetid"
},
"name": "name"
}
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [
{
"id": "id",
"action": "Allow",
"state": "succeeded"
},
{
"id": "id",
"action": "Allow",
"state": "succeeded"
}
],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": false,
"encryption": {
"services": {
"file": {
"enabled": true
},
"blob": {
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Hot"
}
}
I can successfully deploy this template in the resource group but after controlling “Firewall and virtual networks” I see, that allows access from is set to all networks, although under the selected networks I can see added Virtual Networks
what should I do have "selected networks" checked?
963
The problem is that if you set the virtualNetworkRules to allow then the defaultAction need to set to Deny, so you will whitelist the selected virtual networks in the firewall of the storage account.
In this case, you could select your existing virtual network (which enable the storage account service endpoint) ID to the paragraph networkAcls and change the "defaultAction": "Deny". Also, virtualNetworkRules belongs to thenetworkAcls not the properties of the storage account.
This following template could work on my side.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"virtualNetworks_vnet1": {
"defaultValue": "/subscriptions/xxx/resourceGroups/myrg/providers/Microsoft.Network/virtualNetworks/vnet",
"type": "string"
},
"virtualNetworks_vnet2": {
"defaultValue": "/subscriptions/xxx/resourceGroups/myrg/providers/Microsoft.Network/virtualNetworks/mytestvnet1",
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2018-11-01",
"name": "test0deep01234",
"location": "Central US",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [
{
"id": "[concat(parameters('virtualNetworks_vnet1'), '/subnets/default')]",
"action": "Allow"
},
{
"id": "[concat(parameters('virtualNetworks_vnet2'), '/subnets/default')]",
"action": "Allow"
}
],
"ipRules": [],
"defaultAction": "Deny"
},
"supportsHttpsTrafficOnly": false,
"encryption": {
"services": {
"file": {
"enabled": true
},
"blob": {
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Hot"
}
}
]
}
Ref: Microsoft.Storage storageAccounts template reference
80
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
