What's the effect of ipRules [] ?

Mahdi 125 Reputation points
2024-07-07T03:09:51.5633333+00:00

Hi,

Can someone please explain ipRules [] in ARM templates? Unfortunately the documentation is vague about it. I get it that it sets Sets the IP ACL rules but can you please provide an example? Can it include only allowed CIDRs or can it deny CIDRs too? Also, what's the effect of []? Everything is allowed or denied?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,149 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,427 questions
0 comments
Accepted answer
  1. Andreas Baumgarten 108.8K Reputation points MVP
    2024-07-07T05:26:59.96+00:00

    Hi @Mahdi Azarboon ,

    it seems only allowed CIDRs are working in the ipRules. The format looks like this:

                "ipRules": [
                {
                    "value": "49.16.71.33",
                    "action": "Allow"
                },
                {
                    "value": "49.16.71.89",
                    "action": "Allow"
                }
            ],
            "defaultAction": "Deny"
        },

    This defines 2 CIDRs are allowed and if the IP isn't in the list the access is denied.

    This example with [] allows public network access from any IP:

                "ipRules": [],
            "defaultAction": "Allow"

    And this one blocks all public network access because ipRules is empty (ipRules": []) and "defaultAction": "Deny":

                "ipRules": [],
            "defaultAction": "Deny"

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards

    Andreas Baumgarten

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amrinder Singh 5,155 Reputation points Microsoft Employee
    2024-07-07T05:11:17.4266667+00:00

    HI Mahdi Azarboon - Thanks for reaching out.

    In storage, you can control the access on the network part as well to be limited to certain IP's or virtual networks and that's where you can configure the IP rules.

    You can specify public IP, CIDR ranges and also VNET that you want to allow access too and it will ensure that access is only allowed to the calls being made from these IP's (authorize) while limiting the access for any other (Deny)

    You can start with below link to gain more detailed insights on this as well:

    https://video2.skills-academy.com/en-us/azure/storage/common/storage-network-security?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal

    Hope that helps!

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.