The most direct and appropriate method to restrict access to an Azure Storage account from specific internet-based IP addresses is by using the storage account's built-in firewall. This feature allows you to define a set of rules that explicitly grant access from specified public IP addresses or CIDR ranges. By adding the 20 public IP addresses of the application servers to the firewall's allow list and denying access by default, you ensure that only those designated servers can reach the storage account's public endpoint. This is a native security feature designed precisely for this use case.

A. service tags in network security groups (NSGs): Service tags represent groups of IP prefixes for Azure services, not specific external application servers. NSGs apply to resources within a virtual network.

B. managed rule sets in Azure Web Application Firewall (WAF) policies: WAF is designed to protect web applications from common exploits (Layer 7), not for network-level IP-based access control to a storage account.

C. inbound rules in network security groups (NSGs): NSGs filter traffic for resources within an Azure Virtual Network (VNet), not for the public endpoint of a PaaS service like a storage account.

E. inbound rules in Azure Firewall: Azure Firewall is a VNet-level security service used to filter traffic for resources within that VNet, not the primary tool for securing a storage account's public endpoint.

1. Microsoft Learn

Azure Storage Documentation. "Configure Azure Storage firewalls and virtual networks." Under the section "Grant access from an internet IP range

" it states

"You can grant access to storage accounts from specific public internet IP address ranges by creating IP network rules. Each storage account supports up to 200 rules." This directly supports using the storage account firewall for the specified scenario.

Source: learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-an-internet-ip-range

2. Microsoft Learn

Azure Storage Documentation. "Security recommendations for Blob storage." In the "Network security" section

a key recommendation is to "Use the firewall in your storage account to allow traffic only from specific virtual networks or public IP address ranges."

Source: learn.microsoft.com/en-us/azure/storage/blobs/security-recommendations#network-security

3. Microsoft Learn

SC-100 Learning Path. "Design a solution for network security." This module discusses securing PaaS services

explaining that services like Azure Storage have built-in firewall capabilities to restrict access to their public endpoints based on IP addresses

which is distinct from VNet-centric controls like NSGs or Azure Firewall.

Source: learn.microsoft.com/en-us/training/modules/design-solutions-for-securing-azure-infrastructure/4-design-solutions-for-network-security (Section: Secure PaaS services)