Standard Logic App - Copy attachment to Azure File Share Behind NSG and Private Endpoint

CarmeloLoPresti-2973 41 Reputation points
2024-03-28T21:05:32.3866667+00:00

There are many examples of extracting attachments from emails using a Logic App and dumping it into Blob storage that is publicly accessible.

Our scenario is a bit different. We have an Azure File Share (connected to AD) that is behind a private Endpoint - No public access allowed, but access to specific vNets and Microsoft services are allowed, including the necessary Logic App services.

I'm finding conflicting information on whether this is supported with Standard Logic Apps. I created a simple logic app that will check for attachments, and copy them to an Azure File share. I've tried the "Built In" connector, and the "Managed Connector."

When I switch public access on the storage account on, the error I receive is "The specified resource name contains invalid characters."

When I restrict the storage account to specific networks only, I receive a 403 "Not Authorized" even though the Standard Logic App is allowed on that particular vNet. The Logic App and Storage Account are in the same region.

The logic app managed identity has been added to the Storage Account as a "Storage SMB Data Contributor"

Do I need an App Services Environment (ASE)?
Does the Logic App need to be in a different Region than the Storage Account?
Should I be using the "Built In" or the "Managed" connector?

Any assistance is appreciated.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,152 questions
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,816 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
457 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Dan Rios 1,110 Reputation points MVP
    2024-03-30T14:13:11.2066667+00:00

    Hi

    Is the Logic App integrated to the virtual network? Do you have a Private DNS Zone setup for ‘privatelink.blob.core.windows.net’ with the A record pointing to your storage account name, and private endpoint NIC IP?

    There is also an app setting:

    1. To access your logic app workflow data over the virtual network, in your logic app resource settings, set the WEBSITE_CONTENTOVERVNET setting to 1.

    referenced in: https://learn.microsoft.com/en-us/azure/logic-apps/deploy-single-tenant-logic-apps-private-storage-account#deploy-using-azure-portal-or-visual-studio-code

    You can also use the Kudu backend to do an nslookup to check your LA resolves the private storage endpoint to rule out the LA trying to go via the public endpoint (hence the 403 potentially). Check this out:

    https://learn.microsoft.com/en-us/azure/logic-apps/deploy-single-tenant-logic-apps-private-storage-account#troubleshoot-common-errors

    Under Advanced Tools click Go, from here you can use the terminal to run an nslookup {storage-account-host-name}.blob.core.windows.net

    Hopefully some of these get you working, if not let me know and I’ll try and help further!


  2. CarmeloLoPresti-2973 41 Reputation points
    2024-04-04T18:04:00.0766667+00:00

    Update - worked with MS on this issue. The "In App" Azure file connector must be used to avoid the regional limitation. I was able to get some content in the Azure file share that is behind a private endpoint which is only open to specific vNet/Subnets (the Logic App private subnet is included). I'm still working on the actual flow, as the Logic App doesn't seem to want to drop the actual attachment from the email in the file share, but instead is just dropping the attachment ID and some other information in the file.

    So, there doesn't seem to be a regional limitation by using the In App version which is good news.

    0 comments No comments