Azure Storage Account IP Firewall and Resource Instances

Question

I have created an Azure logic app that reads/writes data to an Azure storage account. I want to place networking restrictions on that storage account, so that only the logic app and my laptops outbound IP can reach the storage account.

So, I turned on the storage account's firewall and added my laptop's IP address to the allow address range list. Then I enabled the managed identity for the logic app. Next, back on the networking tab of the storage account I added an entry under "Resource instances". There I selected type of "Microsoft.Logic/workflows" and Instance name of my logic app. I also granted the managed identity of the logic app to have "Storage Blob Data Contributor" on the storage account.

After doing those steps, my logic app is unable to read/write data from the storage account. But I can access data in the storage account as my IP is whitelisted.

It seems that if you have both IP's whitelisted and a Resource instance granted access to a storage account, only the IP whitelist matters?

Has anyone else tried this scenario?

Answer 1

@Dylan James , Thanks for reaching out. I have followed this documentation and added the resource instance as well. I can connect to storage account from logic apps using the managed identity.

Note: If your logic app and storage account are in the same region it is suggested to use HTTP trigger action as documented here. If they are in different regions, you can leverage the storage Blob trigger connector. Please verify if this is not the case.

Please follow up the documented steps and do let me know if you are still facing any issues.