How can I allow an Azure Logic app access to a secured blob storage account

Question

I have an Azure Storage account where I have blobs stored in containers.

I would like to limit the access to this storage account to specific Azure resources and prevent internet connections.

I currently have access limited to IPs from our office locations. This allows us to support the process and use Azure Storage Explorer.

I tried adding the Outgoing IP Addresses from the Logic App but that did not allow access.

Then in the Logic App designer, I get the following Error.

I would like to additionally allow access from an Azure Logic app that would work with data stored there.

did you manage to get this working ? encoutering the same problem. — Thomas, Feb 28 '18 at 22:20
In the logic app properties, you can find the outbound ip addresses. I added them all but still get the forbidden error. — Thomas, Feb 28 '18 at 22:39
I've just created a storage account and app ip restrcitions on it. I would say no NSG or Vnet — Thomas, Feb 28 '18 at 22:40
Ok I just sent Azure Logic App and Support a tweet. see mine @cajunAA — aaronR, Feb 28 '18 at 22:46
I've open an issue on the logicpp repo https://github.com/Azure/logicapps/issues/18 — Thomas, Mar 01 '18 at 05:15

score 0 · Answer 1 · edited Mar 03 '22 at 08:34

0

Have you used the blob storage connector in your logic app ? Once you add the credential connection details, you'd be able to connect from the logic app.

The full documentation can be found here

edited Mar 03 '22 at 08:34

Bernard Vander Beken

4,848
5
54
76

answered Feb 23 '18 at 18:45

Adam Smith - Microsoft Azure

2,495
2
12
24

1

That works for an unsecured storage account. I need to limit the access to the storage account by limiting to IPs and VNets. – aaronR Feb 23 '18 at 19:15
You should consider using NSGs , it may be a better approach. – Adam Smith - Microsoft Azure Feb 23 '18 at 20:03
You still need to know the IP's the Logic App is coming from. – aaronR Feb 23 '18 at 20:07
@AdamSmith-MSFT, any news on this ? I've opend an issue for this problem on github (see my comment on the original question) – Thomas Mar 04 '18 at 11:28
aaronR can you send me your subscription ID and the link to this thread to AzCommunity[AT]microsoft.com, add "Attn: Adam Smith" to the subject, I'll enable a free support ticket to have your issue quickly reviewed by the specialized team for quicker help. – Adam Smith - Microsoft Azure Mar 05 '18 at 16:02
@Thomas can you send me your subscription ID and the link to this thread to AzCommunity[AT]microsoft.com, add "Attn: Adam Smith" to the subject ? I'll enable a free support ticket to have your issue quickly reviewed by the specialized team for quicker help. – Adam Smith - Microsoft Azure Mar 08 '18 at 23:49

score 0 · Answer 2 · answered Feb 26 '18 at 06:52

0

Is the IP you allowed known in the list of Logic Apps IPs? If not then I think you will need to whitelist the one on the list.

This is the list of Logic App IP's per country & connector:

Logic App IPs

answered Feb 26 '18 at 06:52

Steven Van Eycken

546
3
8

score 0 · Answer 3 · answered Mar 08 '18 at 15:42

I am having the same issue. Apparently this configuration is not supported. Quoted from an Azure ticket yesterday:

"Yea we have had couple (sic) customers reporting this issue. Unfortunately this feature is not supported as of now. The azure networking team was working on adding this support for logic apps. As of last month there was no ETA given."

Also, in my storage account logs the failed logic app requests are coming from 10.157.x.x, which I cannot whitelist in the storage account firewall. I even tried "fooling" the firewall by creating a vnet containing that subnet and allowing that. No dice.

How can I allow an Azure Logic app access to a secured blob storage account

3 Answers3