Reputation: 1499
Firewall access from Azure app service to blob storage
I am trying to lock down access to blob storage to an app service. I have the following powershell code which gets the possible outgoing ip addresses from an app service I run and then limits access to blob storage to those ip addresses:
Write-Host ("Setting blob storage access restrictions")
$appServiceIPAddresses = (Get-AzureRmWebApp -ResourceGroupName $resourceGroupName -name $webSiteName).PossibleOutboundIpAddresses.Split(",")
$currentStorageAccessRules = (Get-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName $resourceGroupName -Name $storageAccountName).IpRules
$currentStorageAccessRules = {$currentStorageAccessRules}.Invoke() # Convert to modifiable list
foreach($ipAddress in $appServiceIPAddresses) {
if (($currentStorageAccessRules | Where-Object { $_.IPAddressOrRange -eq $ipAddress }) -ne $null) {
Write-Host("IP $ipAddress already has access to blob storage $storageAccountName")
} else {
Write-Host("Allowing IP $ipAddress access to blob storage $storageAccountName")
$ipRule = New-Object -TypeName Microsoft.Azure.Commands.Management.Storage.Models.PSIpRule
$ipRule.Action = 'Allow'
$ipRule.IPAddressOrRange = $ipAddress
$currentStorageAccessRules.Add($ipRule)
}
}
Update-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName $resourceGroupName -Name $storageAccountName -IPRule $currentStorageAccessRules -DefaultAction Deny
Write-Host ("Updated blob storage access restrictions")
This sets all of the ip addresses I would expect correctly, however I now get a 403 Forbiden when the app service tries to access blob storage. All containers are private so there should be no url access to the blobs I just access them programmatically from the app service. Can anyone see why the above approach does not work?
Upvotes: 1
Views: 2361
Answers (2)
Reputation: 1499
According to the article here: https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security "IP network rules have no effect on requests originating from the same Azure region as the storage account. Use Virtual network rules to allow same-region requests." so my rules above would have been ignored and I need to setup a virtual network to lock down access. Hope this helps someone.
Further information on how to do this is here: https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
Upvotes: 2
Reputation: 2513
Most likely this could be a permission problem,depending on what specific authentication method you are using to access the storage account, there are three: SAS, Storage Key and Name, and AAD. You have to ensure that you have access to Blob Storage as a service depending on which you are using. I'd recommend checking this documentation which contains more info.
Also, in the firewall setting, try checking the "Allow trusted Microsoft services to access this storage account" and try again.
Upvotes: 0
Related Questions
- securing app service connectivity to azure storage
- Cannot to Azure blob storage from VM because of firewall
- Azure Storage firewall open to Azure App Service
- Forwarding a request for Azure App Service to Azure Blob storage
- Can't implement azure web app service access to azure storage container (blob) using MSI
- Secure access to Microsoft Azure Blob Storage
- Firewall access from Azure app service to blob storage using Virtual Network
- Limit Azure Blob Access to WebApp
- Azure blob access from Html web app
- Blob storage access from Azure App Service