0

I have an app service that accesses a storage account. I would like to restrict the acces to the storage account but as soon as I restrict to specific networks & specific IP addresses I get 403 forbidden.

Even if I added all Outbound IPs from my App Service I get 403 Forbidden.

Why is it so? What is the proper way to secure my storage if I cannot use specific IPs and I don't want to link my app Service to a VNet?

2d1b
  • 107
  • 2

1 Answers1

1

The problem you are seeing here is that because the web app and storage account are in the same region, the traffic is not actually using the public IPs of the web app, it is going over the internal network and using an internal IP. There is no way to know the specific internal IPs being used to access this, and so you cannot whitelist them in the storage firewall.

There are only a few ways to deal with this currently:

  • Put your storage account and app in different regions (not ideal)
  • Use vNet join to have traffic go over your vnet
  • Use an ASE which is on the vNet
Sam Cogan
  • 38,736
  • 6
  • 78
  • 114
  • Great to know! What I find weird is that it works for keyvault so I guess it's a bit different for storage accounts – 2d1b Mar 09 '20 at 13:57
  • Yeah it seems to be something specific about talking to storage accounts. I'm guessing it relates to the way web apps use storage under the hood – Sam Cogan Mar 09 '20 at 13:57
  • You are probably right... I just wish this was documented somewhere :-) thanks for your help – 2d1b Mar 09 '20 at 21:13