We welcome user feedback and feature requests!

← Web Apps

Enable App Service without ASE to access Storage Account with Firewall enabled

Currently it is not possible to configure storage account firewall to accept requests from App Services without ASE. This requires App Service to enable trusted access to storage: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services.

It is great if above is possible.

864 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Masayuki Tanaka shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

41 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Vansevenant, Stijn commented  ·   ·  Flag as inappropriate

    Impossible to follow Microsofts own Azure Security Center recommendations to configure firewall rules on the storage account and to configure backups on your app services using those storage accounts.

    This is a must have feature. I'm forced now to either disable my firewall or disable my periodic backups.

  • Kozak, Daniel commented  ·   ·  Flag as inappropriate

    This feature is absolutely required. Any backup/core service that Microsoft offers should be included under the "Allow trusted Microsoft services to access this storage account"

  • Anonymous commented  ·   ·  Flag as inappropriate

    It's been more than 2 years, everyone has already exposed how important this feature is. Is there any news about it? At least a timeline please!

  • Anonymous commented  ·   ·  Flag as inappropriate

    Please add this feature - we followed security centre recommendations to lock down our firewall rules and broke SQL vulnerability scanning and web app backups. As far as I can tell there is no warning in security centre or in the Storage firewall. Please fix as things like this create waste for customers and Microsoft. This is technical debt and should be resolved.

  • [Deleted User] commented  ·   ·  Flag as inappropriate

    Please add this feature - we followed security centre recommendations to lock down our firewall rules and broke SQL vulnerability scanning and web app backups. As far as I can tell there is no warning in security centre or in the Storage firewall. Please fix as things like this create waste for customers and Microsoft. This is technical debt and should be resolved.

  • Dian, Steven commented  ·   ·  Flag as inappropriate

    If you read the documentation on "Trusted Microsoft Services" - Azure App Services or Azure webapps IS NOT one of the supported "Trusted Services" today. This is ridiculous. I should NOT have to setup an Internal ASE just to be able to effectively firewall off storage to an app service.
    Forcing me to create storage in one region and the app service in another is NOT reasonable.

    Turning off firewall rules to support access to a storage account from an App Service / Azure Webapp is NOT a reasonable solution for production use. Microsoft, please for the love of all that is holy - add App Services / Azure webapps to the list of "trusted microsoft services" so that your customers can effectively isolate access to storage accounts from GENERAL OPEN to internet when using App services. THANK YOU.

  • Ty Hill commented  ·   ·  Flag as inappropriate

    This works if the App Service is in a different region than the Storage Account.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This is actually a deal breaker. Just using storage key rotation is not a real option. And vnet integration / private endpoint is for my not feasable.

  • Mick commented  ·   ·  Flag as inappropriate

    The checkbox that reads .... "Allow trusted Microsoft services to access this storage account" should be all that's required to give an app service in the same Azure Subscription access...

  • Raghid commented  ·   ·  Flag as inappropriate

    Securing connections between different azure services is a bit confusing. Private Endpoint connection or whitelisting appservices should be a high priority item to build.

  • Anonymous commented  ·   ·  Flag as inappropriate

    It's very strange that this issue has not been already adressed.
    To save the App Service Log in a storage account is absolutely important to get the firewall properly tightened.
    Microsoft please fix ASAP!
    Thanks

  • Anonymous commented  ·   ·  Flag as inappropriate

    Workaround for me is to create a new VM with static external IP, and whitelist this IP on Blob Storage. Use the new VM as a relay.

    Hope to do a direct upload from Azure App Service to Azure Blob Storage with firewall enabled on Blob Storage. Tried whitelisting App Service outbound IP addresses on Blob Storage but they do not work.

    Download works fine via Azure Front Door IP address CIDR range: 147.243.0.0/16 added to Blob Storage firewall.

  • Joost Groot commented  ·   ·  Flag as inappropriate

    In the security center I am warned that some storage accounts (blobs for appservices) are not secure enough, but I can't configure the firewall option to let thee app service in only. I have to select all networks.

    So weird that Microsoft alerts your of a security flaw on one part and doesn't allow to connect a appservice to a storage account so you don't have to set it on "all networks".

    Guess the security department is a bit in front on developing on azure then the storage-account/appservice department is :-)

  • Somil Ganguly commented  ·   ·  Flag as inappropriate

    We are trying to access storage account under firewall and networks from app service whitelisting outbound Ip's and still doesn't work.

  • Robbe Cauwenbergh commented  ·   ·  Flag as inappropriate

    In case of anyone having this issue when enabling app service logs to the storage, this issue can be solved by integrating both the web app and the storage account in a vnet.
    Do the following:
    - Create a new vnet
    - Integrate the web app into the new vnet/subnet. (Go to the web app/settings/networking/Vnet integration). Use the new (preview) vnet integration
    - Enable the Microsoft.Storage service endpoint on the subnet where you just integrated the web app (go to the vnet/settings/subnets/<subnet where the webapp is integrated>)
    - Configure the storage account firewall to allow connections coming from that vnet/subnet. (go to storage account/settings/firewalls and virtual networks and add the existing virtual network/subnet to the ACL list.
    - Disable and enable the app service logs

    Issue should be resolved.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This is a great issue!

    It's impossible to archive appservice log in the storage account, because of this issue.

    Is there any workaround other than disabling the firewall?

  • Anonymous commented  ·   ·  Flag as inappropriate

    This is a phenomenal hole. Forcing storage containers for application logs to be publicly reachable from the internet is such a security page 1 fail that I can't even begin to comprehend it.

    How are we meant to design secure system if the architecture is working against you in such a fundamental way???

    At least MS should document any workarounds that exist, until they do the job properly..

← Previous 1 3

Web Apps

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice