Share via

I have a query over the azure storage account log. For the attribute callerIpAddress

RajeshKumar G 20 Reputation points
2026-03-25T02:55:08.9666667+00:00

callerIpAddress: when my azure storage account network settings is enabled from all network. All the users are able to connect from outside. But in resource logs the ip which was suppose to show I mean the client or user ip is not showing instead private ip like 172. Something it is showing. Is it normal behaviour. Do we have any ms document on this. Does any kind of natting or network backbone ip it show.

Azure Storage
Azure Storage

Globally unique resources that provide access to data management services and serve as the parent namespace for the services.

Answer accepted by question author
  1. Praveen Bandaru 11,310 Reputation points Microsoft External Staff Moderator
    2026-03-25T07:13:44.4133333+00:00

    Hello RajeshKumar G

    We want to clarify why you see a private IP address (like 172.x.x.x) as the callerIpAddress in Azure Storage diagnostic logs, even when public network access is enabled for all networks. This is standard Azure behavior.

    If access comes from another Azure resource or service, the traffic uses Microsoft’s internal network and doesn’t go through public source NAT, so Azure Storage records the internal private IP at the service boundary rather than the client’s public IP.

    This usually happens when the client workload runs within Azure, especially in the same region as the storage account or uses Azure-managed routing like service endpoints, private connectivity, VPN, or ExpressRoute.

    It’s not a security concern or misconfiguration and doesn’t impact data access when all networks are allowed.

    Microsoft confirms this is intentional. For network restrictions, use virtual network controls or private endpoints instead of public IP allow-listing, since Azure-to-Azure traffic may not show a public source IP.

    Check the below reference documents for:
    https://dotnet.territoriali.olinfo.it/en-us/answers/questions/5634512/azure-storage-account-access-logs-calleripaddresshttps://dotnet.territoriali.olinfo.it/en-us/azure/storage/common/storage-network-security-limitations#restrictions-for-ip-network-rules

    I hope the above answer helps you! Please let us know if you have any further questions.

    Please don't forget to "upvote" where the information provided will help you, this can be beneficial to other members of the community.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-25T02:55:24.6433333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    In Azure Storage resource logs, seeing a private IP (for example, 10.x.x.x, 172.16–31.x.x, 192.168.x.x) in callerIpAddress instead of the public client IP is expected when the request reaches the storage account over a private Azure path rather than directly from the public internet.

    Key points from the documented behavior:

    1. IP network rules apply only to public internet IPs
      • Azure Storage firewall IP rules are explicitly limited to public IP addresses. Private IP ranges (RFC 1918: 10.x.x.x, 172.16–31.x.x, 192.168.x.x) are not allowed in IP rules.
      • This is because traffic from within Azure (same region, paired region with service endpoints, or certain Azure services) uses private Azure IPs, not public ones.
      • As documented:
        • “IP network rules are allowed only for public internet IP addresses. IP address ranges reserved for private networks (as defined in RFC 1918) aren't allowed in IP rules.”
        • “Services deployed in the same region as the storage account use private Azure IP addresses for communication. Therefore, you can't restrict access to specific Azure services based on their public outbound IP address range.”
    2. Why a private IP appears in callerIpAddress
      • When traffic comes from:
        • A virtual network with service endpoints to Storage, or
        • Another Azure service in the same region, or
        • A path where Azure’s backbone/NAT is used internally
      • The storage service sees the private source IP (for example, the VM’s VNet IP or an internal Azure IP) as the caller, and that is what is logged in callerIpAddress.
      • This is normal and aligns with the note that IP rules cannot be used to restrict same‑region or certain paired‑region traffic because those flows use private Azure IPs.
    3. Relation to “Allow access from all networks”
      • Even when the storage account is open to all networks, the actual source IP logged still reflects how the traffic reached the service:
        • Direct from the internet → public client IP is logged.
        • Via Azure backbone / VNet / service endpoint / internal Azure service → private IP is logged.
      • Any NAT or internal routing done by Azure can therefore result in a private IP being recorded instead of the original external client IP.
    4. Relevant documentation
      • The documented restrictions on IP network rules and the explanation that same‑region Azure services use private IPs for communication describe this behavior and its implications for IP‑based control and logging.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.