App Service to access Storage account with Firewalls and Virtual Network enabled

Viji Ekambaram 31 Reputation points
2020-06-30T07:59:34.59+00:00

We have an application running in App Service trying to access data from Storage account but the storage account has Firewall and Virtual Network settings enabled. Will enabling "Allow trusted Microsoft Services" under Exceptions help to provide Storage account access to App Service?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,894 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,326 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Sakaldeep Yadav 161 Reputation points MVP
    2020-06-30T08:39:15.41+00:00

    Yes, enabling "Allow trusted Microsoft Services" will give App service access to the storage account.

    1 person found this answer helpful.
    0 comments No comments

  2. SnehaAgrawal-MSFT 20,241 Reputation points
    2020-07-01T12:14:54.587+00:00

    Thanks for asking question! To elaborate on this Some Microsoft services operate from networks that can't be included in your network rules. You can grant a subset of such trusted Microsoft services access to the storage account, while maintaining network rules for other apps. These trusted services will then use strong authentication to connect to your storage account securely. We've enabled two modes of trusted access for Microsoft services.

    • Resources of some services, when registered in your subscription, can access your storage account in the same subscription for select operations, such as writing logs or backup.

    • Resources of some services can be granted explicit access to your storage account by assigning an RBAC role to its system-assigned managed identity.

    You may refer to this link for more detail on this: https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services

    1 person found this answer helpful.

  3. Mukul Bana 6 Reputation points
    2021-04-01T13:57:08.23+00:00

    Use Vnet integration option on Azure WebApp and whitlist same subnet in storage account's Network Security Rule.
    83646-image.png

    With this your traffic shall start flowing through a self managed VNet, where you can further apply NSG's & UDRs/

    1 person found this answer helpful.
    0 comments No comments

  4. Shibin 6 Reputation points
    2021-05-04T21:02:26.633+00:00

    While the Vnet Integration works, it is still not practicable solution in it's current shape and form, as each App service Plan need a dedicated subnet for Regional Vnet Integration to work. So if your organization require multiple Apps connecting to storage accounts, this will require you to carve out separate subnets per App Service Plan which looks totally absurd.

    1 person found this answer helpful.
    0 comments No comments

  5. questionboy 1 Reputation point
    2020-11-16T10:37:08.307+00:00

    As @Onstwedder, M.A. (Martijn) say, I turn on "Allow trusted Microsoft Services", and try to use Azure Web App connection storage, haved 403 Error.
    Should I use Vnet? Hope for better advice.