0

I have a powershell script which runs in an Azure VM which connects to Azure blob storage and Azure SQL. Both the blob storage and SQL are protected by a firewall, the blob storage is part of a VNet. The VM is on its own VNet. I have the IP address of the VM inserted in both azure storage and sql azure. The access to SQL Azure is fine, however when I try to connect to blob storage I get the error message

"Get-AzStorageContainer : This request is not authorized to perform this operation. HTTP Status Code: 403 - HTTP Error Message: This request is not authorized to perform this operation. ErrorCode: AuthorizationFailure".

I am using a connection string to access the blob storage. If I connect from my PC (the IP address of which is entered in the firewall) I can get access no problem. If I access blob storage from the VM using the connection string in azure storage explorer I get the same error message.

If I disable the firewall on the blob storage then I can access it fine from the VM using both powershell and storage explorer.

Not sure if this is relevant but if I execute Get-NetIPAddress | Format-Table on the VM I get a Ipv6 ip address reported instead of the IPv4 I use everywhere else and in the firewall.

This might be relevant but no idea how to prove it one way or the other: Azure Storage account firewall rules work for table but break blob storage

Can anyone suggest a reason for this strange behaviour? How can I get reliable access to blob storage from the VM without having to disable the firewall?

Nancy
  • 26,865
  • 3
  • 18
  • 34
johnstaveley
  • 1,400
  • 1
  • 22
  • 46

1 Answers1

2

Not sure you stated, "the blob storage is part of a VNet. ". But in this case, you could enable a Service endpoint for Azure Storage within the VNet(VM located) and add its subnet into virtual networks of the blob storage. You don't need to add the VM's IP address to the firewall of the storage account.

enter image description here

Reference: http://techtalk.cloud/azure-vnet-integration-service-endpoints-for-azure-storage/

Update

If the storage account and the VM are in the same region, traffic goes over the Azure backbone network. I tried it with a VM in a different region then whitelist the static public IP of Azure VM to the firewall of the storage account, it worked!

Note

IP network rules have no effect on requests originating from the same Azure region as the storage account. Use Virtual network rules to allow same-region requests.

Services deployed in the same region as the storage account use private Azure IP addresses for communication. Thus, you cannot restrict access to specific Azure services based on their public outbound IP address range.

Reference: https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security#grant-access-from-an-internet-ip-range

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • ok, but if the the VM has a public IP address, why can't I just add it to the firewall of the storage and gain access that way? – johnstaveley Oct 08 '20 at 07:04
  • ah this rule! Yes I remember now. I will check it out to see if i can implement a solution – johnstaveley Oct 08 '20 at 09:47
  • ok. Yes, my assets are in the same region so your answer would seem to explain my problem. I have added a storage service endpoint to the VM subnet. Then added the same VM subnet to the network security group of the storage. But it still doesn't work. Did I miss something? – johnstaveley Oct 08 '20 at 12:07
  • 1
    Do you add the same subnet to the virtual network of storage account? – Nancy Oct 08 '20 at 12:10
  • The key here was the VM and blob storage were in the same area in Azure and therefore Azure communicates over ipv6 and not the VMs published IP addresses. @Nancy's solution above details how to solve this. – johnstaveley Oct 08 '20 at 13:47