Skip to main content
Back to the Azure Footguns Database
SecurityMediumCommonAZF-0059

A storage firewall set to default Allow leaves every network path to the account open

A storage account whose networkAcls.defaultAction is Allow accepts traffic from every network. The firewall exists, the rule list looks reassuring, and none of it filters anything.

Footgun ID
AZF-0059 (Azure Footgun No. 59)
Azure service
Azure Storage
Resource type
Microsoft.Storage/storageAccounts
Updated
July 9, 2026

What it is

A storage account whose networkAcls.defaultAction is set to Allow instead of Deny. The default action decides what happens to traffic that doesn't match your explicit IP and virtual-network rules, so with it set to Allow the account accepts connections from every network, and the allow-list entries you configured stop doing anything.

Impact (security)
Account reachable from every network; the configured IP and VNet rules gate nothing
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

A storage firewall only works one way: deny everything by default, then allow specific IP ranges and subnets. With defaultAction set to Allow, the logic inverts — everything is already permitted, so the allow-list is redundant by definition.

Azure makes this the easy state to end up in. Creating a storage account in the portal with the default networking choice ("Enable public access from all networks") produces exactly this configuration, so an account created down the default path is born with a firewall whose default action is Allow. And when someone debugging a connectivity failure flips an existing firewall from Deny to Allow to "just make it work," nothing errors, nothing nags, and the change quietly survives.

This is a different switch from publicNetworkAccess (see AZF-0025). That property decides whether the account's endpoints are reachable off private networks at all; this one decides whether the firewall that guards the public path actually filters anything. An account can pass a "public access is intentional" review and still be wide open because the firewall behind it defaults to Allow.

What it costs / blast radius

The firewall becomes decorative. (Azure behavior; authored assessment.) Every blob, file share, queue, and table in the account is reachable from any network, gated only by authentication — keys, SAS tokens, and identity. The dangerous part is how it reads in a review: the IP rules and VNet rules are still sitting in the configuration, so the account looks locked down to anyone who checks "are there network rules?" without checking what the default action does with everything else.

See it

Footgun: defaultAction Allow means the rule list below filters nothing
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: 'corpdata002'
  location: location
  sku: { name: 'Standard_LRS' }
  kind: 'StorageV2'
  properties: {
    networkAcls: {
      defaultAction: 'Allow'      // every network gets through; the rules are moot
      bypass: 'AzureServices'
      ipRules: [ { value: '203.0.113.10' } ]
      virtualNetworkRules: [ { id: appSubnet.id } ]
    }
  }
}
Fix: default to Deny so only the allow-listed networks reach the account
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: 'corpdata002'
  location: location
  sku: { name: 'Standard_LRS' }
  kind: 'StorageV2'
  properties: {
    networkAcls: {
      defaultAction: 'Deny'       // deny by default; the rules now actually gate traffic
      bypass: 'AzureServices'
      ipRules: [ { value: '203.0.113.10' } ]
      virtualNetworkRules: [ { id: appSubnet.id } ]
    }
  }
}

How StratoLens helps

StratoLens flags storage accounts whose firewall default action is Allow automatically, continuously, across every subscription in your tenant — including the ones that drifted from Deny to Allow during an incident and never got flipped back. The account that looks firewalled but isn't gets surfaced instead of passing another review.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.