Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

We welcome user feedback and feature requests!

← Web Apps

Enable App Service without ASE to access Storage Account with Firewall enabled

Currently it is not possible to configure storage account firewall to accept requests from App Services without ASE. This requires App Service to enable trusted access to storage: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services.

It is great if above is possible.

1,046 votes
Vote

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Masayuki Tanaka shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

52 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • sayikal commented  ·   ·  Flag as inappropriate

    Please please list the 'App service with Managed Identity' as a Trusted Service. While the Vnet Integration works, it is still not practicable solution in it's current shape and form, as each App service Plan need a dedicated subnet for Regional Vnet Integration to work. So if we require multiple Apps spanning across different App service Plans connecting to storage accounts, it requires us to carve out separate subnets per App Service Plan which looks totally absurd.

  • Joost Groot commented  ·   ·  Flag as inappropriate

    OMG why hasn't this been fixed. Azure Security Center keeps reminding us that all those storage accounts without a firewall are unsecure and possible hacket etc. But we can't secure them because they are needed voor Azure's own WebApps (app-services).

    Realy realy realy bad design. You can't expect people to use VM's for a simpel site a appservice can handle.

    Please, add ALL Azure resourse tot the list (not only App Services).

  • Illbegood commented  ·   ·  Flag as inappropriate

    I have a desktop app accessing some Azure File Shares setting firewall, now I need to access the same shares from a Web Api published on Azure Web App and I've been forced to disable firewall because even selecting Allow trusted Microsft Services I receive a 403 error accessing the files. Please fix this issue as soon as possible.

  • Regee Chacko commented  ·   ·  Flag as inappropriate

    We had setup the backup to storage account in same region (based on advice from MS engineer) and backups were successfully completed. Later the storage account firewall was setup to allow access from azure virtual networks only and we noticed the backups were failing. When customer support was contacted we were advised that this is not supported.

    Due to this I have to allow storage account access from all networks.
    This is a must have feature.

  • VooDooMaN commented  ·   ·  Flag as inappropriate

    + from Azure DevOps!!
    so Azure DevOps not part of Microsoft software family :)
    made by Aliens? :)

  • Siju Mathew commented  ·   ·  Flag as inappropriate

    This is definitely not the intended behaviour based on Azure-(Function)-App documentation and the storage account firewall documentation. This behaviour works in CosmosDB and I have spent many hours trying to figure out why it will not work as intended.
    Options to use ASE/Vnet or use it in two different regions are not workarounds but money making options.

  • Cory commented  ·   ·  Flag as inappropriate

    Looking forward to this feature. I am currently backing up our web app manually.

  • André Sørhus commented  ·   ·  Flag as inappropriate

    I've found that we now can log application logs from non-ASE app services connected to VNet and with a storage account with a service endpoint. The logging is done using an IP address in the app service subnet's address space. (This can e.g. be monitored using "Diagnostics settings", currently in preview). However, "web server logging" is still not possible. In this case the logging is done using the non-subnet address space, in fact it's not even done using one of the listed IP addresses for the service plan, but some other shared address space IP. This forces us to have to either not use web server logging at all, log to the file system, or leave the storage account without firewall.

  • Vansevenant, Stijn commented  ·   ·  Flag as inappropriate

    Impossible to follow Microsofts own Azure Security Center recommendations to configure firewall rules on the storage account and to configure backups on your app services using those storage accounts.

    This is a must have feature. I'm forced now to either disable my firewall or disable my periodic backups.

  • Kozak, Daniel commented  ·   ·  Flag as inappropriate

    This feature is absolutely required. Any backup/core service that Microsoft offers should be included under the "Allow trusted Microsoft services to access this storage account"

  • Anonymous commented  ·   ·  Flag as inappropriate

    It's been more than 2 years, everyone has already exposed how important this feature is. Is there any news about it? At least a timeline please!

  • Anonymous commented  ·   ·  Flag as inappropriate

    Please add this feature - we followed security centre recommendations to lock down our firewall rules and broke SQL vulnerability scanning and web app backups. As far as I can tell there is no warning in security centre or in the Storage firewall. Please fix as things like this create waste for customers and Microsoft. This is technical debt and should be resolved.

  • [Deleted User] commented  ·   ·  Flag as inappropriate

    Please add this feature - we followed security centre recommendations to lock down our firewall rules and broke SQL vulnerability scanning and web app backups. As far as I can tell there is no warning in security centre or in the Storage firewall. Please fix as things like this create waste for customers and Microsoft. This is technical debt and should be resolved.

  • Dian, Steven commented  ·   ·  Flag as inappropriate

    If you read the documentation on "Trusted Microsoft Services" - Azure App Services or Azure webapps IS NOT one of the supported "Trusted Services" today. This is ridiculous. I should NOT have to setup an Internal ASE just to be able to effectively firewall off storage to an app service.
    Forcing me to create storage in one region and the app service in another is NOT reasonable.

    Turning off firewall rules to support access to a storage account from an App Service / Azure Webapp is NOT a reasonable solution for production use. Microsoft, please for the love of all that is holy - add App Services / Azure webapps to the list of "trusted microsoft services" so that your customers can effectively isolate access to storage accounts from GENERAL OPEN to internet when using App services. THANK YOU.

  • Ty Hill commented  ·   ·  Flag as inappropriate

    This works if the App Service is in a different region than the Storage Account.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This is actually a deal breaker. Just using storage key rotation is not a real option. And vnet integration / private endpoint is for my not feasable.

← Previous 1 3

Web Apps

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice