Secure access to Azure storage account from only app service, database server and specific Internet address

Question

I have an Azure storage account named "mystorage". I would like to ensure that only the following have read/write access to both the files and the blobs in the storage account (everything else should be blocked):

1. requests over the Internet from IP address 200.300.400.500;
2. my App service "myappservice";
3. my Azure SQL database server "dbserver".

All these assets sit in the same region.

I have tried setting up a virtual network between storage account and app service and database server, which led to all access being blocked. I may well have gotten this wrong though.

Please let me know how to accomplish the above.

Answer 1

Secure access to Azure storage account from only app service, database server and specific Internet address

To enable a secure connection from App Service and SQL Database to Azure Storage Account, follow the steps below.

1. Create a VNet with two subnets: one for the App Service and the other for the SQL Database.

2. Add the Microsoft.Storage service endpoint to both subnets. This will enable outbound connectivity from the App Service and SQL Database to the Storage Account over the Microsoft backbone network.

3. Allow both subnets in the Azure Storage Account firewall and add the IP address 200.300.400.500 to the firewall rules.

Method : 2

1. To route traffic from the internet via a public IP to the Storage Account, you can create a NAT gateway and associate it with both the App Service and SQL Database subnets.

Note:

1. The NAT gateway will only be used for outbound traffic.
2. Disable the service endpoint if you are using the NAT gateway.

You can find the NAT public IP by navigating to NAT gateway > Outbound IP.

2. Add the NAT gateway public IP to the Storage Account firewall rules to allow traffic.

Reference: Grant access from an internet IP range

Grant access from a virtual network

Azure NAT Gateway integration