How do I specify in an ARM template that my storage account should have `Public network access` set to `Disabled`?

Question

How do I specify in an ARM template that my storage account should have Public network access set to Disabled ?

I have the following storageAccounts resource in an ARM template and when I upload the template I was expecting to see Public network access set to Disabled, but instead I see 'Enabled from selected virtual networks and IP Addresses', I have tried to put a storage account to Public network access=Disabled manually and export that template and it has the same as I do, so not quite sure how to do it.

My understanding of it is that as long as I keep the virtual networks + IP Addresses to empty arrays then it's the same as putting Public access to Disabled, not sure if this is the logic.

Public network access result of uploading the template:

The resource defined in my ARM template:

{
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('storageAccountName')]",
"apiVersion": "2017-10-01",
"sku": {
    "name": "[parameters('storageAccountSku')]",
    "tier": "[parameters('storageAccountTier')]"
},
"kind": "StorageV2",
"location": "[parameters('storageAccountLocation')]",
"tags": {},
"identity": {
    "type": "SystemAssigned"
},
"properties": {
    "defaultToOAuthAuthentication": false,
    "supportsHttpsTrafficOnly": true,
    "AllowBlobPublicAccess": false,
    "targetResourceId": "",
    "networkAcls": {
        "resourceAccessRules": [],
        "bypass": "AzureServices",
        "defaultAction": "Deny",
        "ipRules": [],
        "virtualNetworkRules": []
    },
    "publicNetworkAccess": "Disabled",
    "accessTier": "Hot"
}
}

Answer 1

I could see that you are using "apiVersion": "2017-10-01" and it is a very old version of ARM template for storage account. To avoid the conflicts, use the latest version which is "apiVersion": "2023-01-01".

Refer MSDoc for all the latest available Api versions of"Microsoft.Storage/storageAccounts".

Complete code is given below.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "storageaccountname": {
            "defaultValue": "teststorejah",
            "type": "String"
        },
        "storageAccountType": {
            "defaultValue": "Standard_GRS",
            "allowedValues": [
                "Standard_LRS",
                "Standard_GRS",
                "Standard_ZRS",
                "Premium_LRS"
            ],
            "type": "String",
            "metadata": {
                "description": "Accounttype"
            }
        },
        "location": {
            "defaultValue": "[resourceGroup().location]",
            "type": "String",
            "metadata": {
                "description": "Location"
            }
        }
    },
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2023-01-01",
            "name": "[parameters('storageaccountname')]",
            "location": "[parameters('location')]",
            "sku": {
                "name": "[parameters('storageAccountType')]"
            },
            "kind": "StorageV2",
            "properties": {
                "networkAcls": {
                    "defaultAction": "Deny",
                    "bypass": "AzureServices",
                    "ipRules": [],
                    "virtualNetworkRules": []
                },
                "publicNetworkAccess": "Disabled"
            }
        }
    ],
    "outputs": {}
}