I have an Azure App Service which uses Blob Storage to host it's static files. For this particular app (staging environment) we only want to allow access from the app service and a specific set of ip addresses.
What is the best way to go about this? I tried providing an identity for the app service with the role of Owner but it keeps getting a 403 when trying to access blob storage.
I can reproduce your problem:
Why you still get 403 is because you are missing the necessary steps.
You have two way. 1, add service outbound ip to the firewall of storage. 2, put the app under a virtual network and then allow the VNET to access.
Common solution:
First of all, create a virtual network on azure.
Then add the network to the firewall setting of storage:
After above configuration, my Azure App Service can access the storage with no problem. Please have a try on your side.(Pleace notice that VNET configuration will not work immediately, you need wait for a little time.)
