Azure firewall policy backup

Question

I was trying this steps manually without the use of script but it appears that this backup does not work on a storage account with the private endpoints.

https://techcommunity.microsoft.com/t5/azure-network-security-blog/backup-azure-firewall-and-azure-firewall-policy-with-logic-apps/bc-p/4165254#M383

I was seeing video by another person who has used evetgrid to access storage with private endpoints I wonder if it would be a work around this limitation.

When I was trying to connect to event grid from the logic app it list another subscription and tenant for connection with oauth instead of current one and I do not see entra as choice of connection. It only has MI, oauth and SP

Answer 1

It should be possible to do with the Logic App, providing it has virtual network integration enabled.

You will have to create a Standard Logic App to be able to do that. Then once it's vnet integrated the Logic App should be able to resolve the private endpoint for the blob endpoint FQDN.

Here's some high-level steps for this, via the Portal. You can view the article beneath this for more information.

1. Create different private endpoints for each of the Table, Queue, Blob, and File storage services.
2. Enable temporary public access on your storage account when you deploy your logic app.
   1. In the Azure portal, open your storage account resource.
   2. On the storage account resource menu, under Security + networking, select Networking.
   3. On the Networking pane, on the Firewalls and virtual networks tab, under Allow access from, select All networks.
3. Deploy your logic app resource by using either the Azure portal or Visual Studio Code.
4. After deployment finishes, enable virtual network integration between your logic app and the private endpoints on the virtual network that connects to your storage account.
   1. In the Azure portal, open your logic app resource.
   2. On the logic app resource menu, under Settings, select Networking.
   3. Select VNet integration on Outbound Traffic card to enable integration with a virtual network connecting to your storage account.
   4. To access your logic app workflow data over the virtual network, in your logic app resource settings, set the WEBSITE_CONTENTOVERVNET setting to 1.
   If you use your own domain name server (DNS) with your virtual network, set your logic app resource's WEBSITE_DNS_SERVER app setting to the IP address for your DNS. If you have a secondary DNS, add another app setting named WEBSITE_DNS_ALT_SERVER, and set the value also to the IP for your secondary DNS.
5. After you apply these app settings, you can remove public access from your storage account.
   1. In the Azure portal, open your storage account resource.
   2. On the storage account resource menu, under Security + networking, select Networking.
   3. On the Networking pane, on the Firewalls and virtual networks tab, under Allow access from, clear Selected networks, and add virtual networks as necessary.

https://learn.microsoft.com/en-us/azure/logic-apps/deploy-single-tenant-logic-apps-private-storage-account#deploy-using-azure-portal-or-visual-studio-code

https://paarhu.is/configure-logic-apps-standard-with-vnet-and-private-endpoint/

Secure traffic between Standard logic apps and Azure virtual networks using private endpoints

If this helped solve your issue, please mark as accepted so others can benefit from the answer. Thanks!