How can I allow an Azure Logic app access to a secured blob storage account

4
votes

I have an Azure Storage account where I have blobs stored in containers.

I would like to limit the access to this storage account to specific Azure resources and prevent internet connections.

I currently have access limited to IPs from our office locations. This allows us to support the process and use Azure Storage Explorer.

enter image description here

I tried adding the Outgoing IP Addresses from the Logic App but that did not allow access.

enter image description here

Then in the Logic App designer, I get the following Error. enter image description here

I would like to additionally allow access from an Azure Logic app that would work with data stored there.

3
azureazure-storageazure-logic-appsazure-blob-storage
did you manage to get this working ? encoutering the same problem.Thomas
I need to try Steven Van Eycken suggestion.aaronR
I tried and did not work even if it should workThomas
Is your storage on a VNET/subnet or behind a NSG?aaronR
I've open an issue on the logicpp repo github.com/Azure/logicapps/issues/18Thomas

3 Answers

0
votes

have you used the blob storage connector in your logic app ? Once you add the credential connection details, you'd be able to connect from the logic app.

enter image description here

The full documentation can be found here

0
votes

Is the IP you allowed known in the list of Logic Apps IPs? If not then I think you will need to whitelist the one on the list.

This is the list of Logic App IP's per country & connector:

Logic App IPs

0
votes

I am having the same issue. Apparently this configuration is not supported. Quoted from an Azure ticket yesterday:

"Yea we have had couple (sic) customers reporting this issue. Unfortunately this feature is not supported as of now. The azure networking team was working on adding this support for logic apps. As of last month there was no ETA given."

Also, in my storage account logs the failed logic app requests are coming from 10.157.x.x, which I cannot whitelist in the storage account firewall. I even tried "fooling" the firewall by creating a vnet containing that subnet and allowing that. No dice.