Allow Logic Apps to Work With Firewalled Storage Accounts
Currently if you are using the firewall feature in an Azure Storage Account, you are unable to access that Account from a Logic App Connector, no matter how you try to modify the firewall. Microsoft support has told me that this is a known issue and there is no ETA. This is a major issue for anyone who wants to properly secure their storage and still make use of Logic Apps.
Ok this is much needed functionality. While it is possible to use a system assigned managed identity and configure IAM for storage (together with networking -> selected networks combined with trust microsoft resources checkbox), the user assigned managed identity still doesn't work.
Even by using a managed identity, the api connection for (blob) storage still only supports connectivity through SAS token. This means that you need to adjust your logic app to use http calls instead of being able to use the provided storage connector.
User assigned managed identity that works, combined with trigger/actions to use it as api connection is a welcome addition
If I understand correctly currently logic apps whether or not ISE deployed can only be triggered by storage accounts in the same region. Which makes it impossible for us to switch on the firewall 🙁 Only option left is to investigate private endpoints.
Ehret, Torben commented
This is also a requirement on our side.
I see 2 possible options:
* use the generic HTTP connector as already explained by Carlo (https://feedback.azure.com/users/359951560-carlo)
* add an option to specify the Managed Identity for the managed connector for the Azure Blob Storage.
I have the same problem
David Hurtado Toran commented
Much requested by customers!
It's a must
One possible workaround to this issue is to use the HTTP connector with MSI to access the storage account.
Please add this functionality asap. This is severely hindering our ability to secure our storage accounts that are used by Logic Apps.
There is a workaround for this problem. Now you can create an Integration Service Environment ( ISE) and when creating the logic app select the ISE instead of region. After successful deployment, you will get the same connectors/ triggers/actions but with the ISE component and using that you'll be able to connect.
Don Petry commented
This limitation is documented here: https://docs.microsoft.com/en-us/azure/connectors/connectors-create-api-azureblobstorage#access-storage-accounts-behind-firewalls
We'd like to see this limitation removed. Placing Storage Accounts in a different region creates issues with performance, manageability, resilience, and data sovereignty.
But we should not be whitelisting logic app regional IPs, that essentially allows any LA from that region permission to connect. This cannot be the the right way of authenticating.
Prabhu Kannan commented
I have the same problem. As a workaround microsoft suggested to keep logicApps and storageaccount in different region and whitelist logicapps regional IPs in storage account firewall. This worked,
I'm having the same problem. Apparently this is still no resolved. Please, let us know an ETA.
Jaswanth Gundu commented
Please make this a priority.only way right now to let a LA access a SA is to leave it open to all networks. only barrier in place would be AD authentication. with security it always helps to have layers of it in place.
i've added all the ip ranges from LA(Connector outgoing IP addresses, Access endpoint IP addresses, and Runtime outgoing IP addresses) but it is still not able to talk to the SA in question. one explanation might be that it takes time for firewall rules to take affect ? i will wait and see.
This along with not having a PGP encryption connector in Logic apps rules out Logic apps for real world use cases.
Trond Olsen commented
The documentation says the firewall is only available for VNET. Logic Apps are currently not supporting VNET.
Any idea if this has been resolved? or is there a workaround?