Data provider address "Internet" does not work

[JimMadge]

:white_check_mark: Checklist

• [x] I have searched open and closed issues for duplicates.
• [x] This is a problem observed when deploying a Data Safe Haven.
• [ ] I can reproduce this with the latest version.
• [x] I have read through the documentation.
• [x] This isn't an open-ended question (open a discussion if it is).

:computer: System information

• Data Safe Haven version: develop (24fbad9bf10ea751ecebc9b16df2d6953ce528e4)

:package: Packages

List of packages

```none acme==2.10.0 annotated-types==0.7.0 appdirs==1.4.4 Arpeggio==2.0.2 attrs==24.2.0 azure-common==1.1.28 azure-core==1.32.0 azure-identity==1.19.0 azure-keyvault-certificates==4.9.0 azure-keyvault-keys==4.10.0 azure-keyvault-secrets==4.9.0 azure-mgmt-compute==33.0.0 azure-mgmt-containerinstance==10.1.0 azure-mgmt-core==1.5.0 azure-mgmt-dns==8.2.0 azure-mgmt-keyvault==10.3.1 azure-mgmt-msi==7.0.0 azure-mgmt-rdbms==10.1.0 azure-mgmt-resource==23.2.0 azure-mgmt-storage==21.2.1 azure-storage-blob==12.23.1 azure-storage-file-datalake==12.17.0 azure-storage-file-share==12.19.0 certifi==2024.8.30 cffi==1.17.1 charset-normalizer==3.4.0 chevron==0.14.0 click==8.1.7 cryptography==43.0.3 -e git+ssh://git@github.com/alan-turing-institute/data-safe-haven.git@d51640b51032b49d35abd1e5f195c01d8e5a534a#egg=data_safe_haven debugpy==1.8.8 dill==0.3.9 dnspython==2.7.0 fqdn==1.5.1 grpcio==1.66.2 idna==3.10 isodate==0.7.2 josepy==1.14.0 markdown-it-py==3.0.0 mdurl==0.1.2 msal==1.31.0 msal-extensions==1.2.0 msrest==0.7.1 oauthlib==3.2.2 parver==0.5 portalocker==2.10.1 protobuf==4.25.5 psycopg==3.1.19 psycopg-binary==3.1.19 pulumi==3.138.0 pulumi_azure_native==2.71.0 pulumi_azuread==6.0.1 pulumi_random==4.16.7 pycparser==2.22 pydantic==2.9.2 pydantic_core==2.23.4 Pygments==2.18.0 PyJWT==2.9.0 pyOpenSSL==24.2.1 pyRFC3339==2.0.1 pytz==2024.2 PyYAML==6.0.2 requests==2.32.3 requests-oauthlib==2.0.0 rich==13.9.4 semver==2.13.0 setuptools==75.2.0 shellingham==1.5.4 simple_acme_dns==3.2.0 six==1.16.0 typer==0.13.0 typing_extensions==4.12.2 urllib3==2.2.3 validators==0.34.0 websocket-client==1.8.0 ```

:no_entry_sign: Describe the problem

Default action Allow is not valid for NFS enabled storage accounts. I'm a bit surprised by this because I'm sure I tested this for #2247. Perhaps I was changing this after deployment?

We either need to find a way to make this work, which might be,

• Allow a large CIDR range?
• Find why Allow is not valid anymore?

Or to remove this feature.

:deciduous_tree: Log messages

Relevant log messages

```none azure-native:storage:StorageAccount (sre_data_storage_account_data_private_sensitive): error: PUT https://management.azure.com/subscriptions/3f1a8e26-eae2-4539-952a-0a6184ec248a/resourceGroups/ shm-daimyo-sre-hojo-rg/providers/Microsoft.Storage/storageAccounts/shdaisrehojsensitivedata -------------------------------------------------------------------------------- RESPONSE 400: 400 Bad Request ERROR CODE: NetworkAclsDefaultActionMisconfigured -------------------------------------------------------------------------------- { "error": { "code": "NetworkAclsDefaultActionMisconfigured", "message": "NetworkAcls default action must be set to Deny for NFS enabled account." } } -------------------------------------------------------------------------------- ```

:recycle: To reproduce

• Deploy an SRE with data_provider_ip_addresses: Internet