Firewall access from Azure app service to blob storage

1
votes

I am trying to lock down access to blob storage to an app service. I have the following powershell code which gets the possible outgoing ip addresses from an app service I run and then limits access to blob storage to those ip addresses:

Write-Host ("Setting blob storage access restrictions")
$appServiceIPAddresses = (Get-AzureRmWebApp -ResourceGroupName $resourceGroupName -name $webSiteName).PossibleOutboundIpAddresses.Split(",")
$currentStorageAccessRules = (Get-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName $resourceGroupName -Name $storageAccountName).IpRules 
$currentStorageAccessRules = {$currentStorageAccessRules}.Invoke() # Convert to modifiable list
foreach($ipAddress in $appServiceIPAddresses) {
    if (($currentStorageAccessRules | Where-Object { $_.IPAddressOrRange -eq $ipAddress }) -ne $null) {
        Write-Host("IP $ipAddress already has access to blob storage $storageAccountName")
    } else {
        Write-Host("Allowing IP $ipAddress access to blob storage $storageAccountName")
        $ipRule = New-Object -TypeName Microsoft.Azure.Commands.Management.Storage.Models.PSIpRule
        $ipRule.Action = 'Allow'
        $ipRule.IPAddressOrRange = $ipAddress
        $currentStorageAccessRules.Add($ipRule)
    }
}
Update-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName $resourceGroupName -Name $storageAccountName -IPRule $currentStorageAccessRules -DefaultAction Deny
Write-Host ("Updated blob storage access restrictions")

This sets all of the ip addresses I would expect correctly, however I now get a 403 Forbiden when the app service tries to access blob storage. All containers are private so there should be no url access to the blobs I just access them programmatically from the app service. Can anyone see why the above approach does not work?

2
azureazure-web-app-serviceazure-storage
Could be that it's using an Azure internal address instead of one of the public facing ones? Are you aware those IP addresses are shared by other apps the way? Unless you're running in an ASE of course :)juunas
after your script ran, have you checked in the portal if the proper IPs are listed in the storage account firewall rules? Also, does it work if you do it manually in the portal?silent
Yes the IP addresses are listed in the portal correctly. No it doesn't work if I put them in manually either. My understanding is there is no such thing as an app service 'internal ip address', all outgoing traffic will be sent from those ip addresses, it doesn't matter if those Ip addresses are sharedjohnstaveley
If you directly access to blob storage from Azure app service on the portal without the firewall enabled, does it work?Nancy Xiong
Yes, Nancy it does. It stops working when I turn the ip restrictions onjohnstaveley

2 Answers

2
votes

According to the article here: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security "IP network rules have no effect on requests originating from the same Azure region as the storage account. Use Virtual network rules to allow same-region requests." so my rules above would have been ignored and I need to setup a virtual network to lock down access. Hope this helps someone.

Further information on how to do this is here: https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet

0
votes

Most likely this could be a permission problem,depending on what specific authentication method you are using to access the storage account, there are three: SAS, Storage Key and Name, and AAD. You have to ensure that you have access to Blob Storage as a service depending on which you are using. I'd recommend checking this documentation which contains more info.

Also, in the firewall setting, try checking the "Allow trusted Microsoft services to access this storage account" and try again.