308 votestriaged · 11 comments · Azure Monitor-Log Analytics » Log Management and Log Collection Policy · Flag idea as inappropriate… · Admin →
355 votesAlberto commented
I have the same problem and it's very annoying! I have opened already a couple of tickets with Support but still no luck.
Summary: I need to have a firewall active on our Blob Storage and lock it to the webapp IP Addresses.
- Virtual Network: Not supported for Webapps
- Use firewall with Outbound IP Addresses for Webapp located on same DC as storage: Not working
- Use firewall with Outbound IP Addresses for Webapp located on different DC from storage: Cannot be used, low performance
- The only workaround is to use internal IP Address as suggested below by support pasted below.
This is anyway a very unreliable solution, as internal IP Addresses may change (when there is maintenance, scale up/down, scale in/out)
It is by-design that storage firewall blocks visits from internal IP as well. I would suggest you to keep the storage firewall turned off in such situation.
A workaround exists if you want to keep the storage firewall on, that is to add the internal IP address of the Web App to the whitelist of the firewall.
The Internal IP address of a Web App can be found in its Kudo(scm) site. Please go to the Kudo site of the Web App, choose the Environment tab and find the address following the property “LOCAL_ADDR”.
The downside of this workaround is that the internal IP address of a Web App can sometimes change for reasons such as instance patching and scaling. Please be careful when choosing this approach.
We have started work on the Vnet integration for Linux sites. The feature is currently in preview.
I will update this status as the engineering team progresses.
Thanks for your feedback. This is planned as a new supported RuleSet.
Thanks for your feedback. This is planned as part of global waf configurable parameters.