Share via

Connect Azure Storage account from Azure App service ?

Seenivasan S R 25 Reputation points Microsoft Employee
2023-07-25T11:39:29.32+00:00

I need to connect App Service with Storage account which allows only from selected virtual networks and IP Address.

User's image

  1. I have added all outbound IP address of App service to Storage account Firewall.
  2. Added storage blob / table contributor roles to app service.
  3. tried VNET configuration.

Still not able to access. Anyone faced the similar issues ? Please suggest your insights

Azure Table Storage
Azure Table Storage
An Azure service that stores structured NoSQL data in the cloud.
171 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,227 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,913 questions
Accepted answer
  1. Ben Gimblett 4,530 Reputation points Microsoft Employee
    2023-07-26T08:42:02.0633333+00:00

    Hi Thanks for the question.

    To add to the comment above:

    This blog describes the options in detail the Az web app to storage account network integration options
    https://techcommunity.microsoft.com/t5/apps-on-azure-blog/app-service-to-storage-account-connection-condition-summary/ba-p/2968642

    One last thing, once you have the connectivity working , be sure that your storage account is secure:

    For example, if you connect the web app over a private endpoint, ensure that public access into the storage account is restricted or "off".

    However you configure the networking for connectivity you still need to ensure that the web app is connecting securely using a credential with the minimum privileges. One of the best ways to do this is via AAD auth into the storage account using a Managed Service Identity from the Web App. Other options include using a storage account token.

    The following learn tutorial explains this in more detail https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal

    Please mark the answer as accepted if it helps you , as this helps others with the same question.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SnehaAgrawal-MSFT 21,771 Reputation points
    2023-07-26T06:39:06.6266667+00:00

    @Seenivasan S R Thanks for reaching here!

    It appears that you want to restrict access to Blob storage so that it can only be accessed from an Azure App Service.

    However, there are some limitations with the Blob storage firewall in this scenario when both resources are in the same Azure region and IP network rules have no effect on requests originating from the same Azure region as the storage account. Check Grant access from an internet IP range 

    Work around

    1. Add IP address when app service and storage are located in a different region- When resources are located in a different region, the IP address firewall setting works.
    2. When blob storage uses VNet firewall, app service must be integrated with VNet.  See VNet integration. For this scenario suggest you check limitations for VNet integration
    3. Further if you use function app please add WEBSITE_CONTENTOVERVNET = 1 value of 1 enables your function app to scale when you have your storage account restricted to a virtual network. You can see the detail about this setting website_contentovervnet.

    For more details: see- this blog post

    Let us know if further query or issue remains.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.