Search code examples
azureazure-web-app-serviceazure-storage-accountazure-security

Connecting Azure App Service to IP restricted storage account

We have an Azure Storage Account that we need to access from our company but it also needs to be accessible to one of our web apps in the same Resource group. This app is only visible to our company and some other apps that use some parts of it.

So the path looks something like this:

Storage account (Secured for App1 and our company) <= App1 (Secured for Other Apps and our company) <= Other apps (Publicly available)

My question is: How to secure/setup the storage account so the App1 can use it but it is still only available to our company without using VNET?

Currently there is only the exception for our company on the storage account. And the "Allow Azure services on the trusted services list to access this storage account." setting allowed which I read on some Technet thread that it should allow the access of resources in the same subscripition to the storage account which it unfortunatelly doesnt as Web Apps dont seem to be on the trusted list for some reason.

The App1 is .NET Framowork 4.8 connecting to the storage in the account via conenction string and is using a container inside it. When the Networking security is disabled everything is working properly.

So far I have tried the following:

  1. Allowing all the outbound address of App1 on the storage account FW
  2. Giving App1 an Identity and assigning it with the Storage Blob Data Contributor role on Subscription lvl per this manual https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal%2Cprogramming-language-csharp

Is there any option that could do the trick before we start messing with VNETs which should work?

Solution

  • How to secure/setup the storage account so the App1 can use it but it is still only available to our company without using VNET?

    You can integrate your web app with VNET so that the web app can access the resources in the Virtual Network

    Go to your Web App in the portal --> Select networking --> In the outbound traffic, select VNET integration --> Add your VNET and the subnets

    enter image description here

    Now go to your Storage Account --> Select Networking --> Under the selected networks, click on Add existing virtual network --> Add your virtual network and the subnets

    enter image description here

    Now, you would be able to access the storage account from your web app.