Firewall access from Azure app service to blob storage

Asked 3/5, 2019 at 11:5 Answered 8/5, 2019 at 13:24

Solved azure azure-web-app-service azure-storage

I am trying to lock down access to blob storage to an app service. I have the following powershell code which gets the possible outgoing ip addresses from an app service I run and then limits access to blob storage to those ip addresses:

Write-Host ("Setting blob storage access restrictions")
$appServiceIPAddresses = (Get-AzureRmWebApp -ResourceGroupName $resourceGroupName -name $webSiteName).PossibleOutboundIpAddresses.Split(",")
$currentStorageAccessRules = (Get-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName $resourceGroupName -Name $storageAccountName).IpRules 
$currentStorageAccessRules = {$currentStorageAccessRules}.Invoke() # Convert to modifiable list
foreach($ipAddress in $appServiceIPAddresses) {
    if (($currentStorageAccessRules | Where-Object { $_.IPAddressOrRange -eq $ipAddress }) -ne $null) {
        Write-Host("IP $ipAddress already has access to blob storage $storageAccountName")
    } else {
        Write-Host("Allowing IP $ipAddress access to blob storage $storageAccountName")
        $ipRule = New-Object -TypeName Microsoft.Azure.Commands.Management.Storage.Models.PSIpRule
        $ipRule.Action = 'Allow'
        $ipRule.IPAddressOrRange = $ipAddress
        $currentStorageAccessRules.Add($ipRule)
    }
}
Update-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName $resourceGroupName -Name $storageAccountName -IPRule $currentStorageAccessRules -DefaultAction Deny
Write-Host ("Updated blob storage access restrictions")

This sets all of the ip addresses I would expect correctly, however I now get a 403 Forbiden when the app service tries to access blob storage. All containers are private so there should be no url access to the blobs I just access them programmatically from the app service. Can anyone see why the above approach does not work?

Chere answered 3/5, 2019 at 11:5 Comment(5)

Could be that it's using an Azure internal address instead of one of the public facing ones? Are you aware those IP addresses are shared by other apps the way? Unless you're running in an ASE of course :) – Munoz 3/5, 2019 at 11:18

after your script ran, have you checked in the portal if the proper IPs are listed in the storage account firewall rules? Also, does it work if you do it manually in the portal? – Durative 3/5, 2019 at 12:19

Yes the IP addresses are listed in the portal correctly. No it doesn't work if I put them in manually either. My understanding is there is no such thing as an app service 'internal ip address', all outgoing traffic will be sent from those ip addresses, it doesn't matter if those Ip addresses are shared – Chere 3/5, 2019 at 12:42

If you directly access to blob storage from Azure app service on the portal without the firewall enabled, does it work? – Gerhardt 3/5, 2019 at 15:18

Yes, Nancy it does. It stops working when I turn the ip restrictions on – Chere 8/5, 2019 at 6:56

According to the article here: https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security "IP network rules have no effect on requests originating from the same Azure region as the storage account. Use Virtual network rules to allow same-region requests." so my rules above would have been ignored and I need to setup a virtual network to lock down access. Hope this helps someone.

Further information on how to do this is here: https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet

Chere answered 8/5, 2019 at 13:24 Comment(0)

Most likely this could be a permission problem,depending on what specific authentication method you are using to access the storage account, there are three: SAS, Storage Key and Name, and AAD. You have to ensure that you have access to Blob Storage as a service depending on which you are using. I'd recommend checking this documentation which contains more info.

Also, in the firewall setting, try checking the "Allow trusted Microsoft services to access this storage account" and try again.

Gallinule answered 3/5, 2019 at 16:57 Comment(1)

It's not a permission problem, access is only cut off when the IP address restrictions are put in place. It works fine otherwise. I have also added "Allow trusted Microsoft services to access this storage account" but if you look at the list of trusted services it does not include app services, this is mostly back services etc – Chere 8/5, 2019 at 8:54

Recommended topics

Hot tags