How to set blob storage firewall accessing from app service only

Posted by

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Scenario

Goal: Blob storage can access only from the app service.
So, you want to set the blob storage firewall for inbound traffic.

 

Blob storage firewall limitation in this scenario

1. IP address

 IP network rules have no effect on requests originating from the same Azure region as the storage account.

 See Grant access from an internet IP range 

2. Service tag

 There isn't an App service tag.

Youna_Hyun_0-1664263196444.png

 

ps. When clients request blob storage through app service, blob storage receives not App service IP but Client IP.

 

Workaround

1. Add IP address when app service and storage are located in a different region.

When resources are located in a different region, the IP address firewall setting works.

2. Firewall with Virtual Network

When blob storage uses VNet firewall, app service must be integrated with VNet.

If you want to read what is VNet integration, see VNet integration 

Youna_Hyun_1-1664263882403.png

 

Before setting VNet integration, you must check limitations.

Integrate your app with an Azure virtual network - Azure App Service | Microsoft Learn

 

1. Set Vnet Integration on the app service

Add VNet to your app service.

I use "firwall-storage-vnet" VNet as below.

 

Youna_Hyun_2-1664265101342.png

 

2. Blob storage firewall setting with VNet which is integrated with app service

Youna_Hyun_3-1664265216331.png

3. If you use a function app, please add WEBSITE_CONTENTOVERVNET = 1

A value of 1 enables your function app to scale when you have your storage account restricted to a virtual network. 

You can see the detail about this setting website_contentovervnet 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.