Share via

IoT Hub Message routing to Blob Enpoint (selected networks enabled) raises Error 403 / IH400117.

MaartenWilke-2133 21 Reputation points
2022-06-15T18:44:24.13+00:00

With Azure IoT Hub I'm trying to route messages to Blob storage.

When trying to set up a message routing from IoT Hub by selecting one of my Blob containers (Message Routing: Add a Route, Add a Storage Endpoint, Pick a Container), I get error "...exceptionMessage:The remote server returned an error: (403) Forbidden. ... errorcode: IH400117".

This error happens when the Storage Account's Firewall and Virtual network is set to "Enabled from selected virtual networks and IP addresses" (see screenshot).

When set to "Enabled from all networks" there is no problem with setting up the IoT message route and all messages from IoT hub get routed as expected and show up in the Blob container. Yet this is not the Storage Accounts network setting I want.

The 403-error implies some sort of Virtual Network / Firewall / authentication issue.
Yet, error "IH400117" is nowhere explained and I've included the following changes the Storage Account network settings to no avail:

  • The IoT Hub has been added to the Storage Account's Firewall rule,
  • the VNET for my resources network has been included,
  • Allow Azure services on the trusted services list to access this storage account. has been selected,
  • my person IP address has been added (not including this would prevent me from making changes to the Blob container)

Changing the authentication method from Key-based to System-assigned or User-assigned does not solve the issue.
The VNET firewall settings are not set.

The reason for me wanting to use Enabled from selected virtual networks and IP addresses is:

  1. NFS 3.0 integration does not work with "Enabled from all networks".
  2. Enabled from all networks is too open for my personal (paranoia) taste.

Question: How can I have IoT Hub deliver messages to my Blob container whilst using Storage account network setting "Enabled from selected virtual networks and IP addresses"

Thank you for the guidance.

P.s. to confuse matters: My end goal is to simply access the IoT Hub messages (in JSON) with one of my VM. So I'd skip Blob all together if I could. Yet, IoT can only route message to Blob, Event Hub and few others.
So the Blob storage is really used as an intermediate. Hence using NFS to access the Blob data from my VM.

The exact error (anonymized the name and identifier with *******): 

An unexpected error occurred while updating your IoT hub. Error message: Cannot establish connection using the provided credentials. endpointName:*****, exceptionMessage:The remote server returned an error: (403) Forbidden. If you contact a support representative please include this correlation identifier: *****, timestamp: 2022-06-15 17:50:31Z, errorcode: IH400117.

211814-screen-shot-2022-06-15-at-113820.png

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,194 questions
Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,272 questions
0 comments
Accepted answer
  1. Vidya Narasimhan 2,126 Reputation points Microsoft Employee
    2022-06-21T18:32:07.16+00:00

    Hi @MJW-8335 , have you also given the IoTHub managed identity the right RBaC role on the Storage account as described here https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-managed-identity#egress-connectivity-from-iot-hub-to-other-azure-resources

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.