Share via

GetBlob request to Azure Blob storage from vNet is using public IP

Stryletskiy Andrew 0 Reputation points
2024-07-11T20:11:35.62+00:00

I configured vNet integration for my python application and also configured service endpoint for storageaccount (vNet firewall also enabled). Put and List requests are successful, but GetBlob is failing and I am unable to view image in my test application:

2.0;2024-07-11T11:32:44.8196257Z;ListBlobs;Success;200;9;6;authenticated;storagecasbx01we;storagecasbx01we;blob;"https:///
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,232 questions
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,015 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,918 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luis Arias 7,131 Reputation points
    2024-07-13T10:38:32.4366667+00:00

    Hello Stryletskiy Andrew ,

    I understand that you have a python app that is already access to the azure vnet and can access to the storage account by service endpoint but there is a problem getting blob when is loading your application on browser.

    In that case when you’re accessing the blob to load and show in your app, the request to get the blob is coming from the client’s browser (the web), not directly from your application. This is because the image URL is being sent to the client’s browser, and the browser is making the GetBlob request to load the image.

    On the other hand, the ListBlobs operation is performed by your application on the server-side. This operation is used to retrieve a list of all the blobs in the container, and this request is made directly from your application, not from the client’s browser.

    This is why the GetBlob request is failing with an AnonymousIpAuthorizationError. The request is coming from an IP address that is not within the range of your vNet, hence it’s not authorized by the vNet firewall.

    To solve this you might consider using a SAS token (Shared Access Signature) to delegate access to the blob resource. You can create a SAS token from your application, and append it to the blob URL before sending it to the client’s browser. This way, the GetBlob request from the client’s browser will be authorized.

    References:

    If the information helped address your question, please Accept the answer.

    Luis

    0 comments
  2. Nehruji R 8,146 Reputation points Microsoft Vendor
    2024-07-15T07:21:30.4633333+00:00

    Hello Stryletskiy Andrew,

    Greetings! Welcome to Microsoft Q&A Platform.

    I understand that the GetBlob request is being routed through a public IP instead of the vnet, which is causing it to fail due to the vnet filtering on your storage account. Please consider checking the below troubleshooting steps to resolve the issue.

    1.Blob public access setting needs to be enabled for Blob server (SAS) and Blob service checks to pass. After changing this setting, it may take a few minutes for the checks to begin to pass. This is only true for newly created storage accounts; older storage accounts may still show Blob public access set to Disabled and have the checks passing. More information on this setting can be found here. You can do this in the Portal under Configuration for the storage account by setting "Blob public access" to Enabled as well.

    2.Try using by generating SAS token and configure it with URL to access the Blob resource.

    3.Check the NSG rules associated with your vnet. Ensure that there are no rules blocking the GetBlob requests. Basically, a NIC dedicated to each resource, or in the case of the storage account or similar resource, a specific service of the resource. Using these for storage accounts will work fine with the Azure VPN gateway assuming your DNS is configured correctly. More details here: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview 

    4.After you have configured the virtual network service endpoint, you should be able to access the blob container from your local machine by connecting to the virtual network using a VPN connection.

    5.To connect to a blob container from your local machine using the Azure Storage Explorer or the Azure portal when the storage account is behind a virtual network, you need to create a private endpoint for the storage account and add that virtual network to be added in the trusted virtual networks list. Then, you can connect to the storage account using the private endpoint. Alternatively, you can permit traffic through the ISE outbound IPs on the storage account.

    Hope this answer helps! please let us know if you have any further queries. I’m happy to assist you further.

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.