Skip to main content
Back to the Azure Footguns Database
SecurityCriticalCommonAZF-0025

A storage account with public network access enabled puts its data at the internet edge

Flipping a storage account's public network access from Disabled to Enabled exposes its blob, file, queue, and table endpoints to the whole internet, gated only by keys and identity.

Footgun ID
AZF-0025 (Azure Footgun No. 25)
Azure service
Azure Storage
Resource type
Microsoft.Storage/storageAccounts
Updated
July 1, 2026

What it is

A storage account whose publicNetworkAccess property is set to Enabled rather than Disabled. The account's data-plane endpoints (blob, file, queue, table) resolve and accept connections from any network, so the only thing standing between the internet and your data is authentication and any account-level firewall rules you remembered to configure.

Impact (security)
Account endpoints reachable from any network on the public internet
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

publicNetworkAccess is the account-wide switch that decides whether the endpoints are reachable off your private network at all. A private endpoint does not turn it off: you can stand up Private Link and still have the public path wide open, because the two settings are independent. When the switch was locked to Disabled and later drifts back to Enabled, the account silently rejoins the public internet.

The flip usually isn't malicious. A support ticket needs "just temporary" public access, a Terraform or Bicep default reintroduces it, or a portal click during troubleshooting never gets reverted. Azure treats Enabled as a valid state, so nothing errors and nothing nags. The account keeps working exactly as before, which is why the change survives review.

What it costs / blast radius

The blast radius is the entire account: every container, share, queue, and table it holds is now addressable from anywhere. Public network access does not authenticate anyone by itself, but it moves your data from "unreachable off the private network" to "reachable by the world, protected only by keys, SAS tokens, and identity." A leaked SAS URL, an over-broad shared key, or a container left open to anonymous reads becomes internet-wide instead of network-scoped. (This is a control-plane exposure assessment, not a measured breach probability; your account firewall and RBAC still matter.)

See it

Footgun: public network access enabled (endpoints reachable from anywhere)
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: 'corpdata001'
  location: location
  sku: { name: 'Standard_LRS' }
  kind: 'StorageV2'
  properties: {
    publicNetworkAccess: 'Enabled'   // the whole internet can reach the endpoints
  }
}
Fix: disable public network access and reach the account over Private Link
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: 'corpdata001'
  location: location
  sku: { name: 'Standard_LRS' }
  kind: 'StorageV2'
  properties: {
    publicNetworkAccess: 'Disabled'  // only private endpoints / trusted access reach it
    networkAcls: {
      defaultAction: 'Deny'          // deny by default even if the switch is flipped later
    }
  }
}

How StratoLens helps

StratoLens watches this property across every storage account in every subscription and flags the moment it drifts from Disabled to Enabled, with the change captured in history so you can see when it happened and what else moved with it. You don't have to schedule the audit or remember which accounts were supposed to be private; the check runs continuously inside your own tenant.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.