Reputation: 139
Accessing Azure Storage Account using private endpoints and Vnet Integration from an Azure Function (app )
Ok this is to save someone else 4 days of work.
Trying to use VNet integration to connect an Azure Function in the North Central US region to a storage account in the US West region. The storage account in the US West region has the firewall enabled. The only reason I am posting this is our staff normally sets this up for virtual machines which have an IP address that can be added into the storage account firewall and not app service plans.
Upvotes: 0
Views: 2383
Answers (1)
Reputation: 139
If you want to secure your azure storage behind a private endpoint and you want a service plan (I.E. Azure Function or Web App) to access said storage account.
When the storage account firewall is disabled. An App service in the same Vnet containing the storage account endpoints (within a subnet for the app service) works. So to further clarify. You would have a Vnet with the default subnet, a storage subnet, and a app subnet. The storage account firewall is off. Then the web app can access the endpoints that you setup in the storage subnet.
When the storage account firewall is enabled.
- If you intend to use Vnet peering (very easy). The VNets need to be in the same region (I.E. US East) or within a region pair like (US East/US West)
- You must setup Vnet peering.
- You must add the subnet used by the app service into the storage account firewall.
Also a subnet that is not within the same region or a region pair will not show up in the storage account firewall for you to add it.
There is the option to try a preview feature AllowGlobaltagsForStorage but I cannot use that within a production environment.
So to clarify this:
- You have Vnet useastvnet with subnets default, storage
- Your storage account has private endpoints into the storage subnet
- The storage account firewall is enabled.
- You have another Vnet uswestvnet with subnets default, apps
- You have useastvnet peered with uswestvnet
- You have the subnet apps added into the storage account firewall.
- You have your web app or Azure Function using vnet integration into the app subnet
With this setup you can simply use the storage account connect string and everything should work as long as you have the endpoints setup that you need.
So my fix was to move my setup to the US West region.
Upvotes: 0
Related Questions
- Access to Azure File Storage via VNet
- Accessing a private storage account from Azure Devops Hosted Agents
- Azure Web App VNet integration to Storage account with Private Link
- Using private endpoints across Azure Subscription
- Using service principal to access Azure blob storage
- Reading azure storage blob from azure app service returns 403 when integrated with VNet (preview)
- Firewall access from Azure app service to blob storage using Virtual Network
- App Service VNet Integration with Azure Storage Service Endpoint
- Accessing Azure Blob Storage Using Rest API
- Blob storage access from Azure App Service