Azure Storage Account IP Firewall and Resource Instances

Dylan James 1 Reputation point
2022-04-22T20:25:52.157+00:00

I have created an Azure logic app that reads/writes data to an Azure storage account. I want to place networking restrictions on that storage account, so that only the logic app and my laptops outbound IP can reach the storage account.

So, I turned on the storage account's firewall and added my laptop's IP address to the allow address range list. Then I enabled the managed identity for the logic app. Next, back on the networking tab of the storage account I added an entry under "Resource instances". There I selected type of "Microsoft.Logic/workflows" and Instance name of my logic app. I also granted the managed identity of the logic app to have "Storage Blob Data Contributor" on the storage account.

After doing those steps, my logic app is unable to read/write data from the storage account. But I can access data in the storage account as my IP is whitelisted.

It seems that if you have both IP's whitelisted and a Resource instance granted access to a storage account, only the IP whitelist matters?

Has anyone else tried this scenario?195659-screenshot-2022-04-22-162309.png

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,905 questions
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,981 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,517 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. VenkateshDodda-MSFT 19,641 Reputation points Microsoft Employee
    2022-04-25T07:13:33.563+00:00

    @Dylan James , Thanks for reaching out. I have followed this documentation and added the resource instance as well. I can connect to storage account from logic apps using the managed identity.

    Note: If your logic app and storage account are in the same region it is suggested to use HTTP trigger action as documented here. If they are in different regions, you can leverage the storage Blob trigger connector. Please verify if this is not the case.

    Please follow up the documented steps and do let me know if you are still facing any issues.

    0 comments No comments