How can we improve Azure Storage?

Enable Storage Account Firewall to access from App Service without ASE

Currently it is not possible to configure storage account firewall to accept requests from App Services event whitelist outbound IP addresses of Appservices.
It is great if above is possible

254 votes
Sign in
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Masayuki Tanaka shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


Sign in
Sign in with: Microsoft
Signed in as (Sign out)
  • Simon commented  ·   ·  Flag as inappropriate

    This is indeed very important. We are using Clohd Services and whitelisting the public IP just dosen't work. I am surprised nobody from Microsoft had even reply to this thread :(

  • Bartosz commented  ·   ·  Flag as inappropriate

    I have the same problem. If i run my code outside Azure App Service and whitelist IP, the connection to Storage works. If i run the same code on App Servie, whitelisting App Service IP sadly does not work, and requests are blocked.
    For me this is big security problem.

  • Alberto commented  ·   ·  Flag as inappropriate

    I have the same problem and it's very annoying! I have opened already a couple of tickets with Support but still no luck.

    Summary: I need to have a firewall active on our Blob Storage and lock it to the webapp IP Addresses.

    - Virtual Network: Not supported for Webapps
    - Use firewall with Outbound IP Addresses for Webapp located on same DC as storage: Not working
    - Use firewall with Outbound IP Addresses for Webapp located on different DC from storage: Cannot be used, low performance
    - The only workaround is to use internal IP Address as suggested below by support pasted below.
    This is anyway a very unreliable solution, as internal IP Addresses may change (when there is maintenance, scale up/down, scale in/out)


    It is by-design that storage firewall blocks visits from internal IP as well. I would suggest you to keep the storage firewall turned off in such situation.
    A workaround exists if you want to keep the storage firewall on, that is to add the internal IP address of the Web App to the whitelist of the firewall.
    The Internal IP address of a Web App can be found in its Kudo(scm) site. Please go to the Kudo site of the Web App, choose the Environment tab and find the address following the property “LOCAL_ADDR”.
    The downside of this workaround is that the internal IP address of a Web App can sometimes change for reasons such as instance patching and scaling. Please be careful when choosing this approach.

Feedback and Knowledge Base