Azure Storage : Signed IP address for on-premise client for service SAS not working

Question

I am trying to restrict requests to range of IP addresses in the service SAS but I am getting 403 error.

I have tried to use on-premise IP address as well as range of IP address to try the request from multiple machines. But wasn't successful.

This is how my SAS token looks (truncated signature value):
sp=r&st=2022-08-22T05:46:57Z&se=2022-08-23T13:46:57Z&sip=10.248.88.1-10.248.88.255&spr=https&sv=2021-06-08&sr=b&sig=<calculated-signature>

HTTP 403 This request is not authorized to perform this operation.

<?xml version="1.0" encoding="utf-8"?>
<Error>
<Code>AuthorizationFailure</Code>
<Message>This request is not authorized to perform this operation.
RequestId:e34939c4-e01e-00a0-5fb4-b61523000000
Time:2022-08-23T05:52:22.1043914Z</Message>
</Error>

Has anyone restricted the IP address to a certain IP/on-premise IP address and successfully made a request to azure storage?
If yes could you share me how to do it or what wrong I could be doing?

Referring to Azure documentation: https://learn.microsoft.com/en-us/rest/api/storageservices/create-service-sas#specify-an-ip-address-or-ip-range

Answer 1

Hi @Govinda Heggade, Punith Dyapasandra

1) Which type of storage are you trying to access ? Container , File share etc
2) Have you check any firewall in between ? I have faced same issue when i mentioned allow IP to access to my Storage account but still they cant access due to firewall blocking the IP. Make sure

2a) Your storage account IP & port is allowed in firewall bi directional
2b) Your clients IP are allowed in allowed IP list on Portal

Regards,
Mohammed Altamash

----------If this answer was helpful , Kindly accept the answer -----------------