Problem
I have an App Service that is unable to access (unauthorized storage exception) a storage account. Both of these resources are in the same Resource Group (i.e. Resource Group XYZ).
The storage account has its Networking "Allow access from" to "Selected Networks". From here I configured a Virtual Network, and also include all the outbound IP Addresses under the Firewall section.
Note that if I set the Networking "Allow access from" to "All Networks", then everything works fine.
My Suspicion
I noticed that my app service is NOT on the Virtual Network that is the storage account is configured with. I am unable to add the vnet (under the app's Networking blade) due to some error - which I suspect is due to the fact that the app service is under an App Service Plan which is associated with a different resource group (i.e. Resource Group ABC).
Question(s)
Any ideas what could be the culprit to the storage account access issue? Again, I suspect it could be related to the App Service Plan being in a different resource group - in which case, it is a different issue altogether (i am unable to see my other App Service Plans under the "Change App Service Plan" blade).
The are 2 things to take into consideration:
This depends on how locked down your storage account is. If is only allows access from the Vnet that it is on, then you need to add your app service to the same vnet
You need minimum Standard app service plan for network integration. The app service must also be in the same region as the vnet.
You can either do this using a Managed identity or a Shared Access Signature. See this link for using managed identity: https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal%2Ccommand-line