We have an Azure Storage Account that we need to access from our company but it also needs to be accessible to one of our web apps in the same Resource group. This app is only visible to our company and some other apps that use some parts of it.
So the path looks something like this:
Storage account (Secured for App1 and our company) <= App1 (Secured for Other Apps and our company) <= Other apps (Publicly available)
My question is: How to secure/setup the storage account so the App1 can use it but it is still only available to our company without using VNET?
Currently there is only the exception for our company on the storage account. And the "Allow Azure services on the trusted services list to access this storage account." setting allowed which I read on some Technet thread that it should allow the access of resources in the same subscripition to the storage account which it unfortunatelly doesnt as Web Apps dont seem to be on the trusted list for some reason.
The App1 is .NET Framowork 4.8 connecting to the storage in the account via conenction string and is using a container inside it. When the Networking security is disabled everything is working properly.
So far I have tried the following:
Allowing all the outbound address of App1 on the storage account FW
Giving App1 an Identity and assigning it with the Storage Blob Data Contributor role on Subscription lvl per this manual https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal%2Cprogramming-language-csharp
Is there any option that could do the trick before we start messing with VNETs which should work?
How to secure/setup the storage account so the App1 can use it but it
is still only available to our company without using VNET?
You can integrate your web app with VNET so that the web app can access the resources in the Virtual Network
Go to your Web App in the portal --> Select networking --> In the outbound traffic, select VNET integration --> Add your VNET and the subnets
Now go to your Storage Account --> Select Networking --> Under the selected networks, click on Add existing virtual network --> Add your virtual network and the subnets
Now, you would be able to access the storage account from your web app.
Related
We have a .Net application, running in a docker container, connecting to Azure Storage, running on Azure AKS. We use the connectionString to connect to the Azure Storage, for both temporary file storage, as well as logging purposes. Our AKS sits within a vNet, with it's own subnet, and it happily connects to the storage, which also sits in its own subnet, with the two subnets linked via a service endpoint. The storage is not open to all networks, it's been set to only be enabled from selected virtual networks and IP addresses.
Now, if we try and move / run the container on the AKS virtual node, it's starts up amd runs without any issues, but if we try and hit the storage from within the container, we now have authorization issues:
Status: 403 (This request is not authorized to perform this
operation.) ErrorCode: AuthorizationFailure
Content: AuthorizationFailureThis
request is not authorized to perform this operation.
RequestId:131fd452-901e-001a-4329-f3010f000000
Time:2022-11-08T04:23:09.0663031Z
If I enable the storage to have public network access, it works, but we don't want this. So what our options to fix this seeing as we can't add a service endpoint to the underlying subnet / vNet on which the virtual node is running. We're also concerned, because this will probably affect any db connections as well, which will be an issue if we want to run our db backed containers on the virtual node.
Status: 403 (This request is not authorized to perform this operation.) ErrorCode: AuthorizationFailure
Content: AuthorizationFailureThis request is not authorized to perform this operation.
The above 403 errors occur you may not give proper permission and also you may not assign roles in storage account.
For principal authentication purpose you need to assign roles in your storage account.
Storage blob data owner
Storage blob data contributor.
Portal:
In portal go to your storage account -> Access Control (IAM) -> Add ->Add role assignments-> Storage blob data owner or Storage blob data contributor with your service principal.
After assigning it you can view the access through portal by referring below snap:
Make sure with Networking and Firewalls and virtual networks in the public access is set to Enabled from selected virtual networks and IP addresses.
Make sure you were adding correct virtual network and subnets in the portal and also virtual node client IP address in your environment issue may client IP was not added to the firewall rules for the storage account and also check the Allow Azure services on the trusted services list to access this storage account. in Checked state, Then, these trusted providers will establish a secure connection to your storage account using strong authentication.
Go to Azure Portal -> Storage Accounts -> Networking-> Enabled from selected virtual networks and IP addresses.
Reference:
Creating Azure Storage Containers in a storage account with network rules, with Terraform by Ansuman Bal
Problem
I have an App Service that is unable to access (unauthorized storage exception) a storage account.
Both of these resources are in the same Resource Group (i.e. Resource Group XYZ).
The storage account has its Networking "Allow access from" to "Selected Networks". From here I configured a Virtual Network, and also include all the outbound IP Addresses under the Firewall section.
Note that if I set the Networking "Allow access from" to "All Networks", then everything works fine.
My Suspicion
I noticed that my app service is NOT on the Virtual Network that is the storage account is configured with. I am unable to add the vnet (under the app's Networking blade) due to some error - which I suspect is due to the fact that the app service is under an App Service Plan which is associated with a different resource group (i.e. Resource Group ABC).
Question(s)
Any ideas what could be the culprit to the storage account access issue?
Again, I suspect it could be related to the App Service Plan being in a different resource group - in which case, it is a different issue altogether (i am unable to see my other App Service Plans under the "Change App Service Plan" blade).
The are 2 things to take into consideration:
That your app service can reach the storage account.
This depends on how locked down your storage account is. If is only allows access from the Vnet that it is on, then you need to add your app service to the same vnet
You need minimum Standard app service plan for network integration. The app service must also be in the same region as the vnet.
Your app service is allowed to access the storage account.
You can either do this using a Managed identity or a Shared Access Signature. See this link for using managed identity: https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal%2Ccommand-line
I am currently working with a client that requires access to all Azure resource locking down as much as possible and I am having problems with the Storage Account that is utilised by our Azure Functions.
With the Firewalls and Virtual Networks blade in portal set to "All Networks" I am able to deploy to the Function App and it runs without issue.
However once I enable the access restriction by checking "Selected Networks"no matter what virtual network subnets I enter or IP Addresses I can not get the communication to work
I have entered the Outbound IP Addresses of our Consumption based Function App and also check that the additional IP Addresses from the Powershell and all have been added to the whitelist. I have also added all the CIDR IP ranges of the local Azure datacenter but again it does not work.
The problem we have is that once the access restrictions have been put into place we are unable to deploy to the Function App and the app no longer runs. Is this scenario supported and what is the mechanism for tying down access to the Storage Account so that only the Function App can utilise it.
As far as I know, you have two options to restrict access to your storage account from your function app or web app.
Whitelist the outboundIpAddresses and possibleOutboundIpAddresses of the function app in the firewall of the storage account. However, it does not work if the Azure function app and Azure storage located in the same region refer to Sam's answer.
when you hit the storage account from your function, because they are
in the same region as each other, all the traffic goes over the
internal Azure network on internal IP's, not the public IPs listed in
the web app, and so is not allowed over the firewall.
If your resources were in different regions, you could use the network section of function app to allow function app to access resources in a VNet, then enable service endpoint for Microsoft.Storage in this app integration subnet. But you need Azure Functions Premium plan referring to this tutorial: integrate Functions with an Azure virtual network.
Sometimes, the deployment order for networking is important. In this case, you will deploy the followings:
Firstly, you could deploy new VNet integration with an unused subnet. After the VNet Integration is completed and the function app is restarted, you could enable service endpoint for this subnet. In the end, you could add the subnet in the firewall of the storage account.
Note that the new version is in Preview, currently. You could also check these characteristics and get more references from this thread.
I have an Azure Storage account and need to enable the storage firewall.
I have added the outbound IP addresses of my App Service, but the firewall still prevents access. (I know that these addresses can change, but they change predictably, so I can live with that.)
Is there a solution to grant an App Service access to the Storage account other than disabling the firewall (and other than using an ASE, which isn't an option)?
So it turns out that in a new Azure Storage account with a new App Service, setting the storage firewall to the outbound IPs of the App Service does work as expected. Unless the client browser is actually doing the download, adding the client's IP is not required.
Edit
This only works reliably when the storage account is in a different data centre to the App Service. When they are both in the same data centre, an internal outbound address (e.g. 10.x.x.x) is presented from the App Service to the Storage account. Internal addresses cannot be added to the Storage firewall.
If you access your web app service from on-premises networks, you need to grant access from your on-premise networks to your storage account with a public Internet-facing IP address used by your network. You can get more details from Grant access from an internet IP range
If you have VNet Integration with your apps. You should first enable service endpoints for storage in the VNet. You can refer to Grant access from a virtual network.
I have VNET with DMZ and multiple internal subnets configured. There is security requirement to block all the outbound internet connection for the internal subnets.
Now, this VM needs to access Azure blob storage which hosted in the same region.
I am wondering to access Azure Blob storage without outbound internet connection.
Pondering on questions like
1) Can I attach Azure Storage account in my azure VNET
2) Can there is existing solution, where I am access internet via JUMP-BOX network configuration, where my VM internet traffic goes via Jump box
3) Can this be achieve via Network ACLs or some better solution?
Now, this question is mix of networking and azure services, not sure of the right forum for this, server-fault or stack-overflow?
Azure Storage uses a public endpoint, as it's a multi-tenant service. You cannot add your Azure storage account to your VNet, since this is not an endpoint you control.
You'll need to access storage directly, via its <storagename>.blob.core.windows.net endpoint. How you ultimately accomplish that is up to you.