unable to access storage account with a private endpoint from standard logic apps using managed identity

Question

unable to access storage account with a private endpoint from standard logic apps using managed identity

Answer 1

@Vilas Rao Perka ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

From your verbatim, I see

• You have a Standard Logic Apps integrated into a VNET
• You have created a PE of Storage Account in the same VNET
• Using Managed Identity, you are able to connect to the Storage Account with Public Access
• Your requirement is now to establish connectivity to the Storage Account via PE and Public Access disabled.
  • Which actually gives a 403 error.

From my Analysis,

• I don't think your requirement is supported.
• Public Access working means there is no issue with Managed Identity.
• However, I don't think the prebuilt connectors you use would be a part of the VNET
  • And as such, it will not make connections using the Private IP Address range of the VNET you have integrated the Logic Apps with
• See : AzureConnectors and Service Tags
• So, instead, you should use
  • "Enabled from selected virtual networks and IP addresses"
  • And allow the IPs from AzureConnectors.<YOURLOGICAPPSREGION>
• You confirmed that using the last step, you were able to establish connectivity.

P.S :

• One thing to note here is that the Storage Account and Logic Apps should be in different regions for the above set up to work
• This is because,
  • See : Restrictions for IP network rules
  • 
• Also from Logic Apps side
  • See : Access Blob Storage in same region with system-managed identities
  • 

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

---

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.