Limiting container access to app service

Jason 1 Reputation point
2022-09-29T15:55:50.15+00:00

I have a resource group on Azure with a web application hosted as an App Service, that uses an Azure SQL Database and storage container for blob storage.

Within the storage account, I want to limit public access within the networking section, to only be enabled from selected virtual networks or IP addresses. If I enable this, I then need to provide access from my App Service within the same resource group. The most appropriate route seems to be by allowing access to resource instance, by adding a resource type by instance name. However, in the drop down list of resource types, there does not seem to be an option for App Service. Is this possible?

I considered allowing specific IP addresses, but the Microsoft documentation suggests that resources in the same region as the storage account use private Azure IP addresses for communication.

Any advise on this would be appreciated.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,686 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,868 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. brtrach-MSFT 15,251 Reputation points Microsoft Employee
    2022-10-04T02:59:40.827+00:00

    @Jason We understand you are attempting to limit access to your storage account to only your web app.

    I come from the web app side so I will be stretching some of my storage account knowledge here but wanted to provide you an answer.

    The storage account firewall "resource instance" feature that you spoke of largely exists to provide a way to add resources that cannot be added to a virtual network.

    Azure Web Apps can be added to a virtual network so there is a process to provide resource level connectivity.

    1. Navigate to your storage account in the portal > networking blade
    2. Select "enabled from selected virtual networks and IP addresses.
    3. Connect your virtual network to your storage account under the virtual network's header.
    4. Navigate to your web app in the portal > networking
    5. Select VNET integration
    6. Add your VNET here

    While there is a lot more configuration that can be done, this is the simple steps that should get you started and limit access to your storage account.

    Please let us know if you have further questions or concerns.