Accessing Azure Storage Accounts with Selected Network Enabled

Question

As per the requirements, I need to Enable Firewall with Selected Network ON for Azure Storage Accounts. But when I do the same along with adding all required IPs, Azure Function App and Azure Data Factory is going down.

Currently the VNET is unavailable and cannot be created. Managed Identity is not an option as Contributor role unavailable.

Is there a way to to configure the Data Factory and Function Apps after enabling FireWall with selected networks for Azure KeyVault and Azure Storage Accounts.

Answer 1

Please find the below steps helps to work around:

Is there a way to to configure the Data Factory and Function Apps after enabling FireWall with selected networks for Azure KeyVault and Azure Storage Accounts.

When Network rules like specified IP Addresses, IP Ranges, subnets are configured to the storage accounts, then that storage accounts can only be accessed by applications that request data over the specified set of networks or through the specified set of Azure resources.

Also, the option Allow Trusted Services is set to ON while enabling the firewall for a storage account, which allows connectivity from Azure trusted services like Data Factory, Azure functions, etc.

Visit this documentation to know the list of trusted services allowed to access a key vault in Azure.

You have to create the VNet, attach to the Azure Function App which helps to connect to the Storage Account.

Currently the VNET is unavailable and cannot be created. Managed Identity is not an option as Contributor role unavailable.

To enable a service endpoint for a subnet/IP Addresses attached to Storage account, you can have custom role like Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action.

Refer to MSFT Docs1 and here for more information.