0

Problem

I have an App Service that is unable to access (unauthorized storage exception) a storage account. Both of these resources are in the same Resource Group (i.e. Resource Group XYZ).

The storage account has its Networking "Allow access from" to "Selected Networks". From here I configured a Virtual Network, and also include all the outbound IP Addresses under the Firewall section.

Note that if I set the Networking "Allow access from" to "All Networks", then everything works fine.

My Suspicion

I noticed that my app service is NOT on the Virtual Network that is the storage account is configured with. I am unable to add the vnet (under the app's Networking blade) due to some error - which I suspect is due to the fact that the app service is under an App Service Plan which is associated with a different resource group (i.e. Resource Group ABC).

Question(s)

Any ideas what could be the culprit to the storage account access issue? Again, I suspect it could be related to the App Service Plan being in a different resource group - in which case, it is a different issue altogether (i am unable to see my other App Service Plans under the "Change App Service Plan" blade).

AlvinfromDiaspar
  • 6,611
  • 13
  • 75
  • 140
  • 1
    While this could be a networking issue, also check access - how are you authenticating? If you're using an access key, and it's correct, then it's very possibly still networking. If you're using a Managed Identity, have you checked to ensure that the identity has the correct access permissions to the account and containers? – WaitingForGuacamole Mar 09 '21 at 16:41
  • Also, if you lift all of the networking restrictions temporarily, does it work? – WaitingForGuacamole Mar 09 '21 at 16:45
  • As mentioned, it does work (if i set it to "All Networks". – AlvinfromDiaspar Mar 09 '21 at 16:55
  • I am not sure about my using a managed identity. I have selected "Select Networks" and explicitly added IP Addresses to allow in the Firewall rules. I presume this is enough. – AlvinfromDiaspar Mar 09 '21 at 16:59
  • Ah, missed that part. So, I don't think the resource group is the problem - our app services are VNet integrated, and the app services and plans live in one group and the VNets live in another - we had not problems with it. What's the specific error when adding the VNet to the app service? – WaitingForGuacamole Mar 09 '21 at 17:01
  • That's the bothersome thing. There is no specific error. After taking a while during "Configure VNet to the app" / "Starting configuration of the VNet app" message, it eventually errors out w/ not details other than "VNet configuration failed". – AlvinfromDiaspar Mar 09 '21 at 17:03
  • I take it back. The most recent error message says this "The gateway did not receive a response from "Microsoft.Web" within the specified time period". – AlvinfromDiaspar Mar 09 '21 at 17:16
  • 1
    https://stackoverflow.com/questions/60663125/azure-vnet-integration-the-gateway-did-not-receive-a-response-from-microso suggests it's a limitation on the number of integrations per plan? – WaitingForGuacamole Mar 09 '21 at 17:20
  • Yeah. That's where I'm at right now (i.e. Ugh). – AlvinfromDiaspar Mar 09 '21 at 17:30
  • I also see this "Adding this VNET would exceed the App Service Plan VNET limit of 1." Not sure how to resolve this as i am unable to update my app service to a different App Service Plan. – AlvinfromDiaspar Mar 09 '21 at 17:52
  • I like the suggestion in that PO post. But can/should a VNET be used for both PROD & DEV environments? Currently I a separate VNET per PROD & DEV. – AlvinfromDiaspar Mar 09 '21 at 17:54
  • My understanding is you can have more than one plan in a VNet, but not multiple VNets on a plan, so you probably *could*, but I probably *wouldn't*. – WaitingForGuacamole Mar 09 '21 at 20:04

1 Answers1

0

The are 2 things to take into consideration:

  1. That your app service can reach the storage account.

This depends on how locked down your storage account is. If is only allows access from the Vnet that it is on, then you need to add your app service to the same vnet

You need minimum Standard app service plan for network integration. The app service must also be in the same region as the vnet.

  1. Your app service is allowed to access the storage account.

You can either do this using a Managed identity or a Shared Access Signature. See this link for using managed identity: https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal%2Ccommand-line

Shiraz Bhaiji
  • 64,065
  • 34
  • 143
  • 252