0

Unable to upload the file using Azure app service(Same Network Security Group) in Azure Storage account container returns below Error

Status: 403 ErrorCode: AuthorizationFailure Error Message: This request is not authorized to perform this operation

Created Virtual network as vnet-network and create 3 subnets

  • app-subnet: 10.0.1.0/24
  • upload-subnet: 10.0.5.0/24
  • db-subnet: 10.0.3.0/24

Created the network security group for above subnets(netowrk_nsg).

Then based on the subnets create App service, private database and storage accounts.

Once it's done created the inbound and outbound security rules

Inbound enter image description here

Outbound enter image description here

Vnet Configuration enter image description here

Storage account Vnet Configuration tab enter image description here

App service Vnet Configuration enter image description here

Able to connect the App service to database, but unable to connect the app service to storage accounts.

Which one not allowing to storage account, Please guide me.

Ramakrishnan Ramar
  • 15
  • 5

1 Answers1

0

App Service wouldn't be using subnet to talk to your storage account by default. If NSG was blocking communications between App Service and Storage Account - you'd get a timeout.
This looks like you storage key is wrong or your SAS token expired

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • We are using Private container, if enable public network able to connect storage account without any issues. – Ramakrishnan Ramar Feb 04 '23 at 04:58
  • either way its not NSG blocking connections (you'd get a timeout). Did you configure Vnet Integration on the App Service? Did you enable traffic filtering on Storage Account? If so - how did you configure it? – 4c74356b41 Feb 04 '23 at 05:00
  • Please check Storage account Vnet Configuration tab above in question, in the tab itself select created subnet – Ramakrishnan Ramar Feb 04 '23 at 05:04
  • the screenshot cuts off, did you allow the vnet\subnet of the app service to access it? – 4c74356b41 Feb 04 '23 at 05:08
  • Yes in the storage account able to select Vnet subnet only, Please check above inbound and outbound rule for network security group. Already allowed in the NSG rules. – Ramakrishnan Ramar Feb 04 '23 at 05:12
  • nsg has nothing to do with this, inter vnet communications are allowed by default on the nsg. did you enable vnet integration on the app service? – 4c74356b41 Feb 04 '23 at 05:15
  • Yes Enabled App service and database also. Able to connect App --> database, but unable to connect app--> storage account – Ramakrishnan Ramar Feb 04 '23 at 05:19
  • on the screenshot it says `10.0.5.0/24`, but in your question app subnet is `10.0.1.0/24` – 4c74356b41 Feb 04 '23 at 05:24
  • For questioning purpose used like this, actual subnet is 10.0.5.0/24 – Ramakrishnan Ramar Feb 04 '23 at 05:26
  • can you share vnet integration configuration? – 4c74356b41 Feb 04 '23 at 05:27
  • Please check above – Ramakrishnan Ramar Feb 04 '23 at 05:34
  • according to your screenshots you should allow `10.0.1.0/24` subnet, not `10.0.5.0/24` subnet in your storage networking config, can you try that? – 4c74356b41 Feb 04 '23 at 05:39
  • 10.0.1.0/24--> app service , 10.0.5.0/24--> Blob storage both are in same NSG and virtual network suppose to allow inbound and outbound according to security rules. – Ramakrishnan Ramar Feb 04 '23 at 05:48
  • disregard nsg, storage account does not allow `10.0.1.0/24` to talk to it, it only allows `10.0.5.0/24` to talk to. fix storage to allow `10.0.1.0/24` to talk to it and it should work – 4c74356b41 Feb 04 '23 at 05:55
  • Allowed both 10.0.1.0/24 and 10.0.5.0/24, Still face the same issue – Ramakrishnan Ramar Feb 04 '23 at 05:59
  • it should definitely work if you configured it like that and vnet integration is configured as on the screenshot. if it doesnt - you need to enable diagnostic logs on the storage account and check which ip is accessing the storage account, it should be something like `10.0.1.5` - if its a public ip of the app service instead - you need to figure out why app service is misconfigured. alternatively you can configure private endpoints on the storage account. https://techcommunity.microsoft.com/t5/apps-on-azure-blog/app-service-to-storage-account-connection-condition-summary/ba-p/2968642 - 3 or 4 – 4c74356b41 Feb 04 '23 at 06:18