diff --git a/terraform/modules/bucket/main.tf b/terraform/modules/bucket/main.tf
index 13231685..f8e7b9d7 100644
--- a/terraform/modules/bucket/main.tf
+++ b/terraform/modules/bucket/main.tf
@@ -9,6 +9,12 @@ resource "azurerm_storage_account" "bucket" {
   location                 = azurerm_resource_group.bucket.location
   account_tier             = "Standard"
   account_replication_type = "LRS"
+
+  network_rules {
+    default_action             = var.policy
+    virtual_network_subnet_ids = var.subnet_ids
+    #ip_rules = ["66.220.238.246/30"]
+  }
 }
 
 resource "azurerm_storage_container" "bucket" {
diff --git a/terraform/modules/bucket/variables.tf b/terraform/modules/bucket/variables.tf
index 6278355e..7b2ae300 100644
--- a/terraform/modules/bucket/variables.tf
+++ b/terraform/modules/bucket/variables.tf
@@ -29,3 +29,14 @@ variable "service_name" {
   description = "Name of the service using this bucket"
   type        = string
 }
+
+variable "subnet_ids" {
+  description = "List of subnet_ids that will have access to this service"
+  type        = list
+}
+
+variable "policy" {
+  description = "The default policy for the network access rules (Allow/Deny)"
+  default     = "Deny"
+  type        = string
+}
diff --git a/terraform/providers/dev/buckets.tf b/terraform/providers/dev/buckets.tf
index d58987fc..d798214f 100644
--- a/terraform/providers/dev/buckets.tf
+++ b/terraform/providers/dev/buckets.tf
@@ -5,6 +5,8 @@ module "task_order_bucket" {
   name         = var.name
   environment  = var.environment
   region       = var.region
+  policy       = "Deny"
+  subnet_ids   = [module.vpc.subnets]
 }
 
 module "tf_state" {
@@ -14,4 +16,6 @@ module "tf_state" {
   name         = var.name
   environment  = var.environment
   region       = var.region
+  policy       = "Allow"
+  subnet_ids   = []
 }
diff --git a/terraform/providers/dev/variables.tf b/terraform/providers/dev/variables.tf
index 32ba5688..fc3afa30 100644
--- a/terraform/providers/dev/variables.tf
+++ b/terraform/providers/dev/variables.tf
@@ -36,6 +36,14 @@ variable "networks" {
   }
 }
 
+variable "service_endpoints" {
+  type = map
+  default = {
+    public  = ""
+    private = "Microsoft.Storage,Microsoft.KeyVault"
+  }
+}
+
 variable "gateway_subnet" {
   type    = string
   default = "10.1.20.0/24"
diff --git a/terraform/providers/dev/vpc.tf b/terraform/providers/dev/vpc.tf
index b7fac8ae..44ecf35c 100644
--- a/terraform/providers/dev/vpc.tf
+++ b/terraform/providers/dev/vpc.tf
@@ -1,13 +1,14 @@
 module "vpc" {
-  source          = "../../modules/vpc/"
-  environment     = var.environment
-  region          = var.region
-  virtual_network = var.virtual_network
-  networks        = var.networks
-  gateway_subnet  = var.gateway_subnet
-  route_tables    = var.route_tables
-  owner           = var.owner
-  name            = var.name
-  dns_servers     = var.dns_servers
+  source            = "../../modules/vpc/"
+  environment       = var.environment
+  region            = var.region
+  virtual_network   = var.virtual_network
+  networks          = var.networks
+  gateway_subnet    = var.gateway_subnet
+  route_tables      = var.route_tables
+  owner             = var.owner
+  name              = var.name
+  dns_servers       = var.dns_servers
+  service_endpoints = var.service_endpoints
 }