how can i connect to my azure storage from my azure app service while it has selected ip adresses allowed

Mao Uyen Tram 126 Reputation points
2024-04-11T10:48:24.3866667+00:00

Hello,

I have an app service and an azure storage. I have mounted the storage to my app service and it works when in the stoarge all adresses are allowed. I do not want all adresses to be able to access this storage for security reasons.

If I then select the option "Enabled from selected virtual networks and IP addresses" it stops working. I have tried to add every single inbound and outbound ip adress (including the virtual ip adres) of my app service to no avail. What should i do to get access tothe storage?

thank you for your time

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,170 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,779 questions
0 comments No comments
{count} votes

Accepted answer
  1. Amrinder Singh 5,155 Reputation points Microsoft Employee
    2024-04-14T16:35:43.8233333+00:00

    Hi Mao Uyen Tram - Thanks for reaching out.

    Is your App Service and storage account hosted in same region? If yes, then I would suggest you to add your App Service to a VNET and then try whitelisting the VNET on the storage account layer.

    This is because when both the services are in same region, the connection would happen via internal backbone (mainly private IP') so even if you whitelist the IP's the actual IP hitting the storage would be different, hence the failure.

    Please let me know if this helpful or if you any further queries, will be glad to assist.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Nehruji R 7,811 Reputation points Microsoft Vendor
    2024-04-12T06:00:42.74+00:00

    Hello Mao Uyen Tram,

    Greetings! Welcome to Microsoft Q&A Platform.

    To connect your Azure App Service to your Azure Storage while restricting access to specific IP addresses, Below are some considerations which you should follow/check to achieve the same,

    1. Add IP address when app service and storage are located in a different region- When resources are located in a different region, the IP address firewall setting works.
      there are some limitations with the Blob storage firewall in this scenario when both resources are in the same Azure region and IP network rules have no effect on requests originating from the same Azure region as the storage account. Check Grant access from an internet IP range 
    2. When blob storage uses VNet firewall, app service must be integrated with VNet.  See VNet integration. For this scenario suggest you check limitations for VNet integration
    3. Further if you use function app please add WEBSITE_CONTENTOVERVNET = 1 value of 1 enables your function app to scale when you have your storage account restricted to a virtual network. You can see the detail about this setting website_contentovervnet.
    4. If you’ve already tried adding individual IP addresses and it’s still not working, Check if there are any network security groups (NSGs) associated with your virtual network that might be blocking traffic and verify that the subnet configuration in your virtual network allows communication with the storage account.
    5. Ensure that the storage account firewall settings allow traffic from the app service’s subnet.
    6. To set up access restrictions for your app service, follow these doc which has step by steps guidance- https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli Remember that the implicit deny all exists at the end of your access restriction list. If none of the rules match, access will be denied by default. Adjust your rules accordingly, and your app service should be able to access the storage securely.

    For more details: see- this blog post

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.