Azure WebJob vNet integration

1
votes

I can't get vNet integration between an Azure App Service / WebJob and it's connected Storage Account to work correctly. I have added both the App Service and the storage account to the same vNet and enabled service endpoint binding for Microsoft.Storage. From what I can see in the docs, this is what is needed to get the communication to work between the services. Unfortunately, I get this error in the WebJob log when I try to run it:

"Unhandled Exception: Microsoft.WindowsAzure.Storage.StorageException: The remote server returned an error: (403) Forbidden. ---> System.Net.WebException: The remote server returned an error: (403) Forbidden."

If I disable the firewall on the storage account everything works just fine.

All the services are placed in the same resource group and region (West Europe).

I have tried both the "normal" (with gateway) and the new (Preview) vNet integration version on the App Service and both are failing the same way.

I am not using ASE (App Service Environment).

I have also added the following exceptions on the storage firewall:

Storage firewall exceptions

2
azureazure-webjobs
Are you using ASE and have you whitelisted your app service IP on Storage firewall?R Jain
I'm not using ASE.Coder62349
And I have not whitelisted any IP in the storage firewall. The both services are in the same vNet and the Microsoft.Storage endpoint is enabled. It should be enough according to docs.Coder62349

2 Answers

0
votes

First, when you allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. In this case, you may think Microsoft.Networking service will be allowed in firewall rule. But basically, VNet Integration does not mean App Service is inside a VNet. VNet Integration gives your web app access to resources in your virtual network but doesn't grant private access to your web app from the virtual network. We usually used to securely access the resource in a VNet.

If you want to put your App Service in a VNet, you need to deploy it in App Service Environment, then it's already in a VNet.

Alternatively, you could whitelist the outbound web app service IP address in the firewall rule of the storage account.

Hope this helps, feel free to let me know if you have any concerns.

0
votes

I've struggled myself on this topic.

First off, if you're restricting access to storage using the firewall you need to add your VNET to the storage firewall. Use your delegate subnet when adding your VNET.

When you add the private link between your storage and your VNET, Azure creates a private DNS zone but your app doesn't automatically use it, even when integrated to the VNET.

You can find more here https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet But specifically this passage applies:

After your app integrates with your VNet, it uses the same DNS server that your VNet is configured with. By default, your app won't work with Azure DNS private zones. To work with Azure DNS private zones, you need to add the following app settings: WEBSITE_DNS_SERVER with value 168.63.129.16 WEBSITE_VNET_ROUTE_ALL with value 1 These settings send all of your outbound calls from your app into your VNet and enable your app to access an Azure DNS private zone. With these settings, your app can use Azure DNS by querying the DNS private zone at the worker level.

You can test the DNS resolution your app is using by opening the debug console and using the NameResolver command NameResolver mystorageaccount.blob.core.windows.net or NameResolver mystorageaccount.queue.core.windows.net should return your private address. If not you have a DNS issue.