Azure storage account access issue from an App Service

0
votes

Problem

I have an App Service that is unable to access (unauthorized storage exception) a storage account. Both of these resources are in the same Resource Group (i.e. Resource Group XYZ).

The storage account has its Networking "Allow access from" to "Selected Networks". From here I configured a Virtual Network, and also include all the outbound IP Addresses under the Firewall section.

Note that if I set the Networking "Allow access from" to "All Networks", then everything works fine.

My Suspicion

I noticed that my app service is NOT on the Virtual Network that is the storage account is configured with. I am unable to add the vnet (under the app's Networking blade) due to some error - which I suspect is due to the fact that the app service is under an App Service Plan which is associated with a different resource group (i.e. Resource Group ABC).

Question(s)

Any ideas what could be the culprit to the storage account access issue? Again, I suspect it could be related to the App Service Plan being in a different resource group - in which case, it is a different issue altogether (i am unable to see my other App Service Plans under the "Change App Service Plan" blade).

1
azureazure-storageazure-app-service-plansazure-resource-group
While this could be a networking issue, also check access - how are you authenticating? If you're using an access key, and it's correct, then it's very possibly still networking. If you're using a Managed Identity, have you checked to ensure that the identity has the correct access permissions to the account and containers?WaitingForGuacamole
Also, if you lift all of the networking restrictions temporarily, does it work?WaitingForGuacamole
As mentioned, it does work (if i set it to "All Networks".AlvinfromDiaspar
I am not sure about my using a managed identity. I have selected "Select Networks" and explicitly added IP Addresses to allow in the Firewall rules. I presume this is enough.AlvinfromDiaspar
stackoverflow.com/questions/60663125/… suggests it's a limitation on the number of integrations per plan?WaitingForGuacamole

1 Answers

0
votes

The are 2 things to take into consideration:

  1. That your app service can reach the storage account.

This depends on how locked down your storage account is. If is only allows access from the Vnet that it is on, then you need to add your app service to the same vnet

You need minimum Standard app service plan for network integration. The app service must also be in the same region as the vnet.

  1. Your app service is allowed to access the storage account.

You can either do this using a Managed identity or a Shared Access Signature. See this link for using managed identity: https://docs.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal%2Ccommand-line