0

I have deployed my web app to Azure, but any attempt to write to my blob storage fails. I have spent quite a few hours searching and changing various things in Azure, but I cannot figure this out. The app code is functioning correctly (local dev pc can write to the blob storage).

The Azure setup I have is an App Service and a Storage account.

The Azure app can read from the blob storage, but cannot write. If I change the network settings on the storage account to "Enabled from all networks" the app is then able to write to the blob (but for obvious reasons, this is not the solution).

To back this up, I can write to the blob storage on Azure from my development PC by adding my IP to the firewall address range (when public access networks is set to "Enabled from selected networks").

In easy steps, what do I need to do to only allow my App Service to write to my blob storage?

I've tried too many things to list and at a loss of what to do - I need a little help.

Thank you.

beloud
  • 85
  • 1
  • 2
  • 6
  • what you want is this: https://stackoverflow.com/a/60990180/1537195 – silent Jun 20 '22 at 08:40
  • https://i.imgur.com/WoxrQA3.png - Could you please add your app service virtual IP address to that associated storage account networking configuration along with your Client IP Address in the Firewall and check! – Sridevi Jun 20 '22 at 11:38
  • @SrideviMachavarapu-MT Thank you, but unfortunately this is one of the things I have already tried which does not work. I still get the same response: `Status: 403 (This request is not authorized to perform this operation.) ErrorCode: AuthorizationFailure` – beloud Jun 20 '22 at 12:02
  • Did you try to generate a SAS connection string? – Charlie V Jun 20 '22 at 14:28
  • Do you know the subnet where the App Service Plan is part of (not app service)? And can you add that subnet to the storage account Firewall settings? – Charlie V Jun 20 '22 at 14:34
  • @CharlieV I am using the D1 (Shared) service plan. I think this is the problem. I cannot get to the subnet for this service plan, creating SAS also results in a 403. Using a SAS with my local IP, works. It has to be a limitation of D1 service plan, which seems a little silly; I could host my app elsewhere and add the hosts IP to SAS or the blob network IP and everything would work. Not sure why MS is restricting this. Adding the app service IP to SAS seems to be ignored and again results in a 403 error. – beloud Jun 21 '22 at 14:47

1 Answers1

0

Enabled from all networks and Enabled from selected networks has the difference in allowing the IP Addresses and services to access (read, write) of the Storage account.

enter image description here

As Charlie V suggested that, add the App Service Plan subnet to the storage account Firewall settings will resolve the issue.

And You're using the D1 (Shared) Service Plan of an App Service and your comment is valid that Microsoft Azure has the limitation of App Service based on App Service Plans (Pricing tiers) we choose.

VNet Integration is only supported in the Standard, Premium and Isolated App Service Plans (Pricing Tiers), not in the Free, Shared, and Basic.

Refer to the Azure App Service Limits for more information.