How to change the default public access to the Azure Storage Account created by ARO clusters

Resolution

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

Egress lockdown is now enabled by default for new cluster creation. to enable egress lockdown on existing clusters, you must have SNI enabled on the customer workloads. To enable egress lockdown on your existing clusters, submit a support case to either Microsoft Support or Red Hat Support.

See Enable Egress Lockdown and Lockdown storage accounts for more detail

The cluster Storage Account must remain in-tact and be 100% managed by SREs, as this is used for backups of data for the cluster. ARO customers should not directly delete any resources in the managed resource group, and the deny assignment on the managed resource group will prevent them from doing so. For reference, here's the corresponding part of the support policy:
"Don't circumvent the deny assignment that is configured as part of the service, or perform administrative tasks that are normally prohibited by the deny assignment."