Enable Storage Account Firewall to access from App Service without ASE
Currently it is not possible to configure storage account firewall to accept requests from App Services event whitelist outbound IP addresses of Appservices.
It is great if above is possible
Securing connections between different azure services is a bit confusing. Private Endpoint connection or whitelisting appservices should be a high priority item to build.
Steven Dian commented
Azure App Service SHOULD be (IMHO) a "Trusted Microsoft Service". Why is it not?
It's very strange that this issue has not been already adressed.
To save the App Service Log in a storage account is absolutely important to get the firewall properly tightened.
Microsoft please fix ASAP!
Workaround for me is to create a new VM with static external IP, and whitelist this IP on Blob Storage. Use the new VM as a relay.
Hope to do a direct upload from Azure App Service to Azure Blob Storage with firewall enabled on Blob Storage. Tried whitelisting App Service outbound IP addresses on Blob Storage but they do not work.
Download works fine via Azure Front Door IP address CIDR range: 22.214.171.124/16 added to Blob Storage firewall.
Joost Groot commented
In the security center I am warned that some storage accounts (blobs for appservices) are not secure enough, but I can't configure the firewall option to let thee app service in only. I have to select all networks.
So weird that Microsoft alerts your of a security flaw on one part and doesn't allow to connect a appservice to a storage account so you don't have to set it on "all networks".
Guess the security department is a bit in front on developing on azure then the storage-account/appservice department is :-)
Somil Ganguly commented
We are trying to access storage account under firewall and networks from app service whitelisting outbound Ip's and still doesn't work.
is still still open or ms has provided an alternate?
Robbe Cauwenbergh commented
In case of anyone having this issue when enabling app service logs to the storage, this issue can be solved by integrating both the web app and the storage account in a vnet.
Do the following:
- Create a new vnet
- Integrate the web app into the new vnet/subnet. (Go to the web app/settings/networking/Vnet integration). Use the new (preview) vnet integration
- Enable the Microsoft.Storage service endpoint on the subnet where you just integrated the web app (go to the vnet/settings/subnets/<subnet where the webapp is integrated>)
- Configure the storage account firewall to allow connections coming from that vnet/subnet. (go to storage account/settings/firewalls and virtual networks and add the existing virtual network/subnet to the ACL list.
- Disable and enable the app service logs
Issue should be resolved.
This is a great issue!
It's impossible to archive appservice log in the storage account, because of this issue.
Is there any workaround other than disabling the firewall?
This is a phenomenal hole. Forcing storage containers for application logs to be publicly reachable from the internet is such a security page 1 fail that I can't even begin to comprehend it.
How are we meant to design secure system if the architecture is working against you in such a fundamental way???
At least MS should document any workarounds that exist, until they do the job properly..
Since whitelisting a Web App by its public IPs works just fine when using Azure Database for MySQL (via Settings > "Connection Security"), shouldn't this also be feasible to implement for Azure Storage accounts?
Janne Kurkinen commented
A very common usecase!
Miika Varis commented
We need this too. To our surprise our API which worked well in local development did not work at all when published to App Services.
Oleg Vakula commented
There is a workaround for application services to access storage account with firewall.
Your Azure storage IP address can be added to IP ADDRESSES ROUTED TO VNet under Virtual Network Integration for the application service.
Harpreet Gill commented
This feature will help us all implement a good security architecture. Hope this becomes a priority soon.
Will Parry commented
Having the same problem. Queried on Twitter. No update. Why is a public App Service using a private IP address which we can't whitelist or allow on the firewall to access Storage Accounts?
Is there no solution or workaround for this error?
following the workaround mentioned by @Alberto does not work for me as the LOCAL_ADDR is a private and I receive a validation message of 'IP rules support public IP addresses only'
Need this feature! Sooooo critical.
Any update on this?