4

I am getting the below error while creating a Logic App from the portal.

"Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible."

While selecting the initial Logic App configuration, I am selecting an existing storage account, which should allow accesses from azure trusted services (configuration below).

enter image description here

enter image description here

This will fail if there are private endpoints defined in the storage account (like in the images below), but also without defining private endpoints. And since the "Allow Azure trusted services" setting is turned on, I believe these shouldn't disallow public traffic, and trusted services should be able to communicate with the storage account via the Azure backbone. Right?

But assuming that Azure Resource Manager is not a trusted Azure service, I whitelisted the Azure Resource Manager IP addresses, and the outcome was still the same.

Any idea what might be the issue(s) here?

ccoutinho
  • 3,308
  • 5
  • 39
  • 47
  • You can also open an issue on GitHub: [Azure/logicapps](https://github.com/Azure/logicapps/issues) – Ecstasy Oct 29 '21 at 11:26
  • You can refer to [Azure Storage/Logic Apps - Allowed Microsoft Service when Firewall is set](https://stackoverflow.com/questions/62471489/azure-storage-allowed-microsoft-service-when-firewall-is-set) and [Access Storage Accounts behind Firewalls from Logic Apps within the same region](https://techcommunity.microsoft.com/t5/integrations-on-azure/access-storage-accounts-behind-firewalls-from-logic-apps-within/ba-p/1997801) – Ecstasy Oct 29 '21 at 11:34
  • Hello @ccoutinho May i please know How are you creating the logic app & what is the type of logic app(Standard/Consumption)? – AjayKumarGhose Oct 29 '21 at 14:14
  • @AjayKumarGhose-MT I am creating it in the portal, in a Standard consumption plan – ccoutinho Oct 29 '21 at 14:37
  • 1
    @DeepDave-MT I think I will open a ticket with MS... This issue is not really related with Logic Apps, since the error I'm getting is happening before the actual Logic App deployment. – ccoutinho Oct 29 '21 at 14:38

3 Answers3

4

I had the same error when I deploy my logic app via Bicep, the storage account for the logic app has firewall rules set.

The error message:

##[error]undefined: Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible.

Details of the infrastructure:

  • Standard logic app in App Service Plan

  • Storage Account V1

  • Storage account firewall rules: image

  • App Settings: image

It seems when the logic app is deployed, the traffic is not going through the VNet so even the VNet setting is set to the storage account, the traffic is still denied.

After searching on the internet, found a post from matthewking8813.

Adding App Settings of WEBSITE_CONTENTOVERVNET to 1 that works for me.MS Doc about WEBSITE_CONTENTOVERVNET

I didn't set up WEBSITE_DNS_SERVER and has AzureWebJobsStorage set up already in my Bicep file.

For deploying through portal, I can't find a place to set up App Settings during creation, may need to raise a ticket to MS for this.

wei
  • 4,267
  • 2
  • 23
  • 18
2

It seems not to be possible to deploy a Standard Logic App from the portal, if the targeted storage account will be hidden behind a firewall. The workaround is to deploy the Standard Logic app via ARM template. What will happen is that first the Storage account & File share will be created, and and then the firewall will be enabled on it.

The resources will be created in the following order:

  1. Storage account which denies the public traffic.

  2. VNET and Subnets.

  3. Private DNS Zones and Private Endpoints for blob, file, queue, and table services.

  4. File Share (Logicapp App settings requires a file share to create the host runtime directories and files).

  5. App Service Plan (Workflow standard -WS1) to host Standard Logic App resources.

  6. Standard Logic App, and set network config with the VNET integration (to connect to storage account on private endpoints).

More information here.

ccoutinho
  • 3,308
  • 5
  • 39
  • 47
2

You can use below script to make your storage account publicly accessible and then you can try deployment through terraform: Note: Please add delay of at least 120 sec to apply changes.

az storage account update --name ${{ parameters.storage_account }} --default-action Allow
az storage account update --name ${{ parameters.storage_account }} --allow-blob-public-access true
Start-Sleep -s 120

Once deployment done, you can disable public access with below script:

az storage account update --name ${{ parameters.storage_account }} --default-action Deny
az storage account update --name ${{ parameters.storage_account }} --allow-blob-public-access false

You may add above tasks in your CI/CD pipeline as inline script.

Aniket Karajgikar
  • 245
  • 2
  • 13