There are a couple of best practices that should be followed when applying security in your Storage Accounts by enabling firewall and VM features. The first one is to make sure that the Storage Account being used to store the boot diagnostics of your virtual machines is not configured to use firewall and virtual networks. Otherwise, the following error message will be displayed on your virtual machines boot diagnostics.
In that case, the feature was enabled, as depicted in the image below.
The recommended approach is to leave All networks (default setting).
The second recommendation is to avoid locking down Storage Accounts being used by Azure. They are easily spotted by checking the tag with the name ms-resource-usage, as depicted in the image below.
