An Azure storage account can have network rules defined so that only traffic from specified networks can access the data. This is defined on the Firewalls and virtual networks blade under settings of the storage account. Be default access for All networks is selected and it is best practise to change this to Selected networks thus restricting from where users or applications can access the data.
Under the virtual network section, an existing virtual network can be selected or a new virtual network created.
The firewall section is where the public IP address can be added to allow access to the storage account.