Cyscale
Back to controls

Ensure 'Disk Network Access' is NOT set to 'Enable public access from all networks'

Virtual Machine Disks and snapshots can be configured to allow access from different network resources.

Category

Controls

Medium

Applies to

Microsoft Azure

Coverage

null controls, 1 queries

Asset types

1 covered

Overview

Virtual Machine Disks and snapshots can be configured to allow access from different network resources.

Rationale

In many cases, the setting 'Enable public access from all networks' is overly permissive on Virtual Machine Disks and presents atypical attack, data infiltration, and data exfiltration vectors. If a disk-to-network connection is required, the preferred setting is 'Disable public access and enable private access.'

Impact

The setting 'Disable public access and enable private access' will require configuring a private link (URL in references below).

Disable public and private access is the most secure and preferred setting where disk network access is unnecessary.

Remediation guidance

Remediate from Azure Portal

Part A. Select the Virtual Machine to Remediate

  1. Using the search bar, search for and open the Virtual Machines service.
  2. Click on the name of the Virtual Machine to be remediated.

Part B. Remediate each Virtual Machine Disk individually

  1. From the selected Virtual Machine resource window, expand the Settings menu item and click Disks.
  2. For each disk, click the name of the disk to open the disk resource window.
  3. From the selected Disk resource window, expand the Settings menu item, and click Networking.

Under Network access, select the radio button for either:

  • Disable public access and enable private access
  • Disable public and private access

Repeat Part B for each Disk attached to a VM.

Repeat Parts A and B to remediate all Disks in all VMs.

Remediate from PowerShell

To disable PublicNetworkAccess and to set a DenyAll setting for the disk's NetworkAccessPolicy for each managed disk, run the following command:

$disk = Get-AzDisk -ResourceGroupName '<rg_name>' -DiskName '<disk_name>'
$disk.NetworkAccessPolicy = 'DenyAll'
$disk.PublicNetworkAccess = 'Disabled'
Update-AzDisk -ResourceGroup '<rg_name> -DiskName $disk.Name -Disk $disk

To disable PublicNetworkAccess and to set an AllowPrivate setting for the disk's NetworkAccessPolicy for each managed disk, run the following command:

$disk = Get-AzDisk -ResourceGroupName '<rg_name>' -DiskName '<disk_name>'
$disk.NetworkAccessPolicy = 'AllowPrivate'
$disk.PublicNetworkAccess = 'Disabled'
$disk.DiskAccessId = '/subscriptions/<subscription_ID>/resourceGroups/<rg_name>/providers/Microsoft.Compute/diskAccesses/<disk_access_name>
Update-AzDisk -ResourceGroup '<rg_name> -DiskName $disk.Name -Disk $disk

Remediate from Azure CLI

To configure a disk to allow private access only, run the following command, ensuring you have the disk_access_ID from a private disk access endpoint.

az disk update --name <disk_name> --resource-group <rg_name> --network-access-policy AllowPrivate --disk-access <disk_access_ID>

To completely disable public and private access for a disk, run the following command (still in preview) for each disk:

az disk update --name <disk_name> --resource-group <rg_name> --public-network-access Disabled --network-access-policy DenyAll

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

  • Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
  • Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
  • Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

  • Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

  • Execute the control-specific Console/CLI steps documented above for each flagged resource.
  • Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

  • Re-scan after each remediation batch.
  • Track exceptions with owner and expiry date.
  • Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Azure Disks allowing public access from all networks

Connectors

Microsoft Azure

Covered asset types

Disk

Expected check: eq []

{
  disks(where: { networkAccessPolicy: "AllowAll" }) {
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon