Enable Storage Account Firewall to access from App Service without ASE
Currently it is not possible to configure storage account firewall to accept requests from App Services event whitelist outbound IP addresses of Appservices.
It is great if above is possible
is still still open or ms has provided an alternate?
Robbe Cauwenbergh commented
In case of anyone having this issue when enabling app service logs to the storage, this issue can be solved by integrating both the web app and the storage account in a vnet.
Do the following:
- Create a new vnet
- Integrate the web app into the new vnet/subnet. (Go to the web app/settings/networking/Vnet integration). Use the new (preview) vnet integration
- Enable the Microsoft.Storage service endpoint on the subnet where you just integrated the web app (go to the vnet/settings/subnets/<subnet where the webapp is integrated>)
- Configure the storage account firewall to allow connections coming from that vnet/subnet. (go to storage account/settings/firewalls and virtual networks and add the existing virtual network/subnet to the ACL list.
- Disable and enable the app service logs
Issue should be resolved.
This is a great issue!
It's impossible to archive appservice log in the storage account, because of this issue.
Is there any workaround other than disabling the firewall?
This is a phenomenal hole. Forcing storage containers for application logs to be publicly reachable from the internet is such a security page 1 fail that I can't even begin to comprehend it.
How are we meant to design secure system if the architecture is working against you in such a fundamental way???
At least MS should document any workarounds that exist, until they do the job properly..
Since whitelisting a Web App by its public IPs works just fine when using Azure Database for MySQL (via Settings > "Connection Security"), shouldn't this also be feasible to implement for Azure Storage accounts?
Janne Kurkinen commented
A very common usecase!
Miika Varis commented
We need this too. To our surprise our API which worked well in local development did not work at all when published to App Services.
Oleg Vakula commented
There is a workaround for application services to access storage account with firewall.
Your Azure storage IP address can be added to IP ADDRESSES ROUTED TO VNet under Virtual Network Integration for the application service.
Harpreet Gill commented
This feature will help us all implement a good security architecture. Hope this becomes a priority soon.
Will Parry commented
Having the same problem. Queried on Twitter. No update. Why is a public App Service using a private IP address which we can't whitelist or allow on the firewall to access Storage Accounts?
Is there no solution or workaround for this error?
following the workaround mentioned by @Alberto does not work for me as the LOCAL_ADDR is a private and I receive a validation message of 'IP rules support public IP addresses only'
Need this feature! Sooooo critical.
Any update on this?
Hi, any news on this?
Any update on this?
Gary Ewen commented
So so critical!!!
This is indeed very important. We are using Clohd Services and whitelisting the public IP just dosen't work. I am surprised nobody from Microsoft had even reply to this thread :(
When can we expect this feature?.