Allowing azure storage connectivity to a public IP

Question

I have created a storage account in the UK south region and have whitelisted the public IP address of my client network. However, I was unable to access any containers in the storage account with only this IP whitelisted. WHen i said allow all networks, i was able to see the data inside the containers. Also, when i whitelisted my local laptop IP along with the client public IP, I was able to access the data in the containers from my local laptop but not from the client network and the error says add the IP yo the access list which is already added. Azure documentation says "IP network rules have no effect on requests originating from the same Azure region as the storage account. Use Virtual network rules to allow same-region requests". Both the storage account and my client RDS ar4e deployed to the same region. Is it the reason for the connectivity to be blocked. I am aware we can use service endpoints or private endpoint to restrict the connectivity but was kind of surprised the connectivity cant be restricted to the IP address from the same region

Answer 1

@Chakravarthi Lolla Can you share the screen shot of the error message when you try to access the containers?

Please run this cmdlets and let me know the status: az storage account update --resource-group "$ResourceGroupName" --name "$Name" --default-action Allow

Communication between Microsoft hosted agents and storage account behind firewall sometime there may be some issue, even with the above work around of dynamically opening the storage firewall for that specific Microsoft hosted agents IP address. This is mainly due to limitations on the storage account side.

1. Each storage account supports up to 200 IP network rules.

So we cannot add the entire IP ranges of hosted agents that spin up from any of your ADO orgs geographical region. If organization is hosted in West Europe, then hosted agents can come up from North and West Europe. So the no. of IP ranges that should be whitelisted will be more than 200.

Due to this, users go with the above work around of allowing the particular hosted agent IP address. however the following limitations will not make the above workaround fool proof. When the hosted agent spin up in the same region as your storage account, workaround does not work.

1. Services deployed in the same region as the storage account use private Azure IP addresses for communication.
2. IP network rules have no effect on requests originating from the same Azure region as the storage account

Additional information:

"The blob storage is part of a VNet. ". But in this case, you could enable a Service endpoint for Azure Storage within the VNet(VM located) and add its subnet into virtual networks of the blob storage. You don't need to add the VM's IP address to the firewall of the storage account.

For more information : Please refer here Azure VNet integration (Service Endpoints) for Azure Storage

Configure Azure Storage firewalls and virtual networks

Hope this helps!
Kindly let us know if the above helps or you need further assistance on this issue.

------------------------------------------------------------------------------------------------------------------------------------------------

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.