Enable Storage Account Firewall to access from App Service without ASE
Currently it is not possible to configure storage account firewall to accept requests from App Services event whitelist outbound IP addresses of Appservices.
It is great if above is possible
Oleg Vakula commented
There is a workaround for application services to access storage account with firewall.
Your Azure storage IP address can be added to IP ADDRESSES ROUTED TO VNet under Virtual Network Integration for the application service.
Harpreet Gill commented
This feature will help us all implement a good security architecture. Hope this becomes a priority soon.
Will Parry commented
Having the same problem. Queried on Twitter. No update. Why is a public App Service using a private IP address which we can't whitelist or allow on the firewall to access Storage Accounts?
Is there no solution or workaround for this error?
following the workaround mentioned by @Alberto does not work for me as the LOCAL_ADDR is a private and I receive a validation message of 'IP rules support public IP addresses only'
Need this feature! Sooooo critical.
Any update on this?
Hi, any news on this?
Any update on this?
Gary Ewen commented
So so critical!!!
This is indeed very important. We are using Clohd Services and whitelisting the public IP just dosen't work. I am surprised nobody from Microsoft had even reply to this thread :(
When can we expect this feature?.
Asif Mithawala commented
Same problem. Cant get to Storage Account from Azure Functions....
any progress, it's really critical
any update on the above issue ?
I have the same problem. If i run my code outside Azure App Service and whitelist IP, the connection to Storage works. If i run the same code on App Servie, whitelisting App Service IP sadly does not work, and requests are blocked.
For me this is big security problem.
I have the same problem and it's very annoying! I have opened already a couple of tickets with Support but still no luck.
Summary: I need to have a firewall active on our Blob Storage and lock it to the webapp IP Addresses.
- Virtual Network: Not supported for Webapps
- Use firewall with Outbound IP Addresses for Webapp located on same DC as storage: Not working
- Use firewall with Outbound IP Addresses for Webapp located on different DC from storage: Cannot be used, low performance
- The only workaround is to use internal IP Address as suggested below by support pasted below.
This is anyway a very unreliable solution, as internal IP Addresses may change (when there is maintenance, scale up/down, scale in/out)
It is by-design that storage firewall blocks visits from internal IP as well. I would suggest you to keep the storage firewall turned off in such situation.
A workaround exists if you want to keep the storage firewall on, that is to add the internal IP address of the Web App to the whitelist of the firewall.
The Internal IP address of a Web App can be found in its Kudo(scm) site. Please go to the Kudo site of the Web App, choose the Environment tab and find the address following the property “LOCAL_ADDR”.
The downside of this workaround is that the internal IP address of a Web App can sometimes change for reasons such as instance patching and scaling. Please be careful when choosing this approach.