For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-azure-trusted-microsoft-services-not-enabled.md.
A documentation index is available at /llms.txt.
When a Storage Account’s network access is restricted (network_acls.default_action set to Deny), Trusted Microsoft Services must be allowed to bypass the network rules. This ensures platform features such as Azure Backup, diagnostics/monitoring, and replication can access the account. Without this bypass, backups, telemetry, and other managed operations can fail, impacting data protection and operational visibility.
In Ansible azure_rm_storageaccount or azure.azcollection.azure_rm_storageaccount resources, ensure the network_acls.bypass property includes the value AzureServices (it may be a comma-separated list, for example, AzureServices,Logging) whenever network_acls.default_action is Deny. Resources that omit network_acls.bypass or whose bypass value does not contain AzureServices are flagged.
Secure configuration example:
- name:Create storage account with AzureServices bypassazure_rm_storageaccount:resource_group:my-rgname:mystorageacctlocation:eastusaccount_type:Standard_LRSnetwork_acls:default_action:Denybypass:AzureServices
Compliant Code Examples
- name:configure firewall and virtual networksazure_rm_storageaccount:resource_group:myResourceGroupname:clh0002type:Standard_RAGRSnetwork_acls:bypass:AzureServices,Metricsdefault_action:Denyvirtual_network_rules:- id:/subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnetaction:Allowip_rules:- value:1.2.3.4action:Allow- value:123.234.123.0/24action:Allow- name:configure firewall and virtual networks2azure_rm_storageaccount:resource_group:myResourceGroupname:clh0003type:Standard_RAGRSnetwork_acls:default_action:Denyvirtual_network_rules:- id:/subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnetaction:Allowip_rules:- value:1.2.3.4action:Allow- value:123.234.123.0/24action:Allow- name:configure firewall and virtual networks3azure_rm_storageaccount:resource_group:myResourceGroupname:clh0004type:Standard_RAGRSnetwork_acls:default_action:Denybypass:AzureServicesvirtual_network_rules:- id:/subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnetaction:Allowip_rules:- value:1.2.3.4action:Allow- value:123.234.123.0/24action:Allow
Non-Compliant Code Examples
- name:configure firewall and virtual networksazure_rm_storageaccount:resource_group:myResourceGroupname:clh0002type:Standard_RAGRSnetwork_acls:bypass:Metricsdefault_action:Denyvirtual_network_rules:- id:/subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnetaction:Allowip_rules:- value:1.2.3.4action:Allow- value:123.234.123.0/24action:Allow- name:configure firewall and virtual networks2azure_rm_storageaccount:resource_group:myResourceGroupname:clh0003type:Standard_RAGRSnetwork_acls:default_action:Denybypass:Metrics,Loggingvirtual_network_rules:- id:/subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnetaction:Allowip_rules:- value:1.2.3.4action:Allow- value:123.234.123.0/24action:Allow- name:configure firewall and virtual networks3azure_rm_storageaccount:resource_group:myResourceGroupname:clh0004type:Standard_RAGRSnetwork_acls:default_action:Denybypass:""virtual_network_rules:- id:/subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnetaction:Allowip_rules:- value:1.2.3.4action:Allow- value:123.234.123.0/24action:Allow
1
2
rulesets:- Ansible / Azure # Rules to enforce / Azure.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
