Enable App Service without ASE to access Storage Account with Firewall enabled
Currently it is not possible to configure storage account firewall to accept requests from App Services without ASE. This requires App Service to enable trusted access to storage: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services.
It is great if above is possible.

Thank you for the feedback. We understand the limitation and will update this ticket as information becomes available.
- Jason
41 comments
-
Vansevenant, Stijn commented
Impossible to follow Microsofts own Azure Security Center recommendations to configure firewall rules on the storage account and to configure backups on your app services using those storage accounts.
This is a must have feature. I'm forced now to either disable my firewall or disable my periodic backups.
-
Kozak, Daniel commented
This feature is absolutely required. Any backup/core service that Microsoft offers should be included under the "Allow trusted Microsoft services to access this storage account"
-
Anonymous commented
It's been more than 2 years, everyone has already exposed how important this feature is. Is there any news about it? At least a timeline please!
-
Anonymous commented
Please add this feature - we followed security centre recommendations to lock down our firewall rules and broke SQL vulnerability scanning and web app backups. As far as I can tell there is no warning in security centre or in the Storage firewall. Please fix as things like this create waste for customers and Microsoft. This is technical debt and should be resolved.
-
[Deleted User] commented
Please add this feature - we followed security centre recommendations to lock down our firewall rules and broke SQL vulnerability scanning and web app backups. As far as I can tell there is no warning in security centre or in the Storage firewall. Please fix as things like this create waste for customers and Microsoft. This is technical debt and should be resolved.
-
Dian, Steven commented
If you read the documentation on "Trusted Microsoft Services" - Azure App Services or Azure webapps IS NOT one of the supported "Trusted Services" today. This is ridiculous. I should NOT have to setup an Internal ASE just to be able to effectively firewall off storage to an app service.
Forcing me to create storage in one region and the app service in another is NOT reasonable.Turning off firewall rules to support access to a storage account from an App Service / Azure Webapp is NOT a reasonable solution for production use. Microsoft, please for the love of all that is holy - add App Services / Azure webapps to the list of "trusted microsoft services" so that your customers can effectively isolate access to storage accounts from GENERAL OPEN to internet when using App services. THANK YOU.
-
Ty Hill commented
This works if the App Service is in a different region than the Storage Account.
-
Anonymous commented
This is actually a deal breaker. Just using storage key rotation is not a real option. And vnet integration / private endpoint is for my not feasable.
-
Tuhin Mukherjee commented
Its a basic security feature which should be enabled for storage accounts.
-
Mick commented
The checkbox that reads .... "Allow trusted Microsoft services to access this storage account" should be all that's required to give an app service in the same Azure Subscription access...
-
Raghid commented
Securing connections between different azure services is a bit confusing. Private Endpoint connection or whitelisting appservices should be a high priority item to build.
-
Steven Dian commented
Azure App Service SHOULD be (IMHO) a "Trusted Microsoft Service". Why is it not?
-
Anonymous commented
It's very strange that this issue has not been already adressed.
To save the App Service Log in a storage account is absolutely important to get the firewall properly tightened.
Microsoft please fix ASAP!
Thanks -
Anonymous commented
Workaround for me is to create a new VM with static external IP, and whitelist this IP on Blob Storage. Use the new VM as a relay.
Hope to do a direct upload from Azure App Service to Azure Blob Storage with firewall enabled on Blob Storage. Tried whitelisting App Service outbound IP addresses on Blob Storage but they do not work.
Download works fine via Azure Front Door IP address CIDR range: 147.243.0.0/16 added to Blob Storage firewall.
-
Joost Groot commented
In the security center I am warned that some storage accounts (blobs for appservices) are not secure enough, but I can't configure the firewall option to let thee app service in only. I have to select all networks.
So weird that Microsoft alerts your of a security flaw on one part and doesn't allow to connect a appservice to a storage account so you don't have to set it on "all networks".
Guess the security department is a bit in front on developing on azure then the storage-account/appservice department is :-)
-
Somil Ganguly commented
We are trying to access storage account under firewall and networks from app service whitelisting outbound Ip's and still doesn't work.
-
Anonymous commented
is still still open or ms has provided an alternate?
-
Robbe Cauwenbergh commented
In case of anyone having this issue when enabling app service logs to the storage, this issue can be solved by integrating both the web app and the storage account in a vnet.
Do the following:
- Create a new vnet
- Integrate the web app into the new vnet/subnet. (Go to the web app/settings/networking/Vnet integration). Use the new (preview) vnet integration
- Enable the Microsoft.Storage service endpoint on the subnet where you just integrated the web app (go to the vnet/settings/subnets/<subnet where the webapp is integrated>)
- Configure the storage account firewall to allow connections coming from that vnet/subnet. (go to storage account/settings/firewalls and virtual networks and add the existing virtual network/subnet to the ACL list.
- Disable and enable the app service logsIssue should be resolved.
-
Anonymous commented
This is a great issue!
It's impossible to archive appservice log in the storage account, because of this issue.
Is there any workaround other than disabling the firewall?
-
Anonymous commented
This is a phenomenal hole. Forcing storage containers for application logs to be publicly reachable from the internet is such a security page 1 fail that I can't even begin to comprehend it.
How are we meant to design secure system if the architecture is working against you in such a fundamental way???
At least MS should document any workarounds that exist, until they do the job properly..