App Service cannot write to Blob Storage

Matthew 1 Reputation point
2022-06-20T11:48:48.713+00:00

I have deployed my web app to Azure, but any attempt to write to my blob storage fails (Access denied). I have spent quite a few hours searching and changing various things in Azure, but I cannot figure this out. The app code is functioning correctly (local dev pc can write to the blob storage).

The Azure setup I have is an App Service and a Storage account.

The Azure app can read from the blob storage, but cannot write. If I change the network settings on the storage account to "Enabled from all networks" the app is then able to write to the blob (but for obvious reasons, this is not the solution).

To back this up, I can write to the blob storage on Azure from my development PC by adding my IP to the firewall address range (when public access networks is set to "Enabled from selected networks").

In easy steps, what do I need to do to only allow my App Service to write to my blob storage?

I've tried too many things to list and at a loss of what to do - I need a little help.

Thank you.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,378 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,088 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Julian Hüppauff 341 Reputation points Microsoft Employee
    2022-06-20T14:44:52.107+00:00

    From what you describe you restricted network traffic to the storage account.
    You need to allow app services to access it.

    The option "Allow trusted Microsoft Services" does not include App Services:
    https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#trusted-access-for-resources-registered-in-your-subscription

    You need to integrate the storage account and the app service into a virtual network either using service endpoints or private endpoints.

    1 person found this answer helpful.
    0 comments No comments

  2. Matthew 1 Reputation point
    2022-06-21T07:57:11.033+00:00

    I think I have found the reason why I am finding this so difficult. I am deploying to the D1 (Shared) platform and I think this is a limitation of D1 service plan. I was thinking that perhaps B1 would be ok?

    Can anyone confirm what service plan I need to be able to write to blob storage (with IP rules to restrict access).

    It seems if any writes to the blob storage that come from the app service IP, they are instantly greeted with a 403 - adding the app service IP to the blob storage networking, setting up SAS with the app service IP all equal a 403. Sending the same request via my dev PC works.

    Thanks.


  3. Matthew 1 Reputation point
    2022-06-23T12:26:00.877+00:00

    I think you are correct, but this does need to be done on a service plan that is at minimum "S1" (Standard). I was trying to be cost effective using D1 - I failed. Down to my lack of knowledge of Azure - thanks.


  4. Matthew 1 Reputation point
    2022-06-23T15:48:44.25+00:00

    Thanks. I have just tried that and it still fails.

    Screenshot

    It has to be a limitation of D1.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.