0

I'm having an issue when trying to access Tables on an Storage Account from a Consumption Logic App. The problem is that the Storage Account is connected to a VNET, it has Firewall Rules to filter traffic from specific Subnets and IP Addresses, the Logic App cannot be connected to any VNET as it is Consumption.

If I select the option "Enabled from all networks" in the Networking section of the Storage Account settings the traffic is allowed and the Logic App runs fine, but this is not desired scenario nor is an option to migrate to Logic App Standard.

I tried a couple of solutions as described below:

  • I added all IPs and IPs ranges found in the Properties of the Logic App including: Runtime outgoing IP addresses, Access endpoint IP addresses and Connector outgoing IP addresses but no Luck.
  • I also added the Logic App (and also tried the option all Logic Apps on the subscription) to the Resources Instances that are supposed to be exceptions to access the Storage Account adding the corresponding role assignments to the Logic App Managed Identity but no luck, I tried several role assignment including Contributor, Owner, Storage Account Contributor and Storage Table Data Contributor, it still does not work.

Any advise will be much appreciated

Thanks in advance!

Diego Satizabal
  • 119
  • 1
  • 7

2 Answers2

0

If the storage uses Enabled from selected virtual networks and IP addresses azure storage account networking

You can add firewall exception for your logic app when connecting to table storage using a system-assigned identity: azure storage account - firewall exception - logic app - managed identity

So first, you need to create a managed identity for your logic app: azure logic app - system-assigned identity

Then create a role assignment (RBAC) to allow the logic app to connect to the storage account: azure storage - rbac - table roles

Then from your logic app, you can use the table storage connector: azure logic app - table storage connector - managed identity

And obviously, test that it is working fine :-) azure logic app - run details

Thomas
  • 24,234
  • 6
  • 81
  • 125
  • Hi Thomas thanks for the response!, I have tried all you mentioned, I guess I was missing creating a new connection using Managed Identity instead of the shared keys, however, now I'm getting this error when performing a simple table read: "Operation not supported with AAD authentication, use Azure Storage Account name/key connection instead." do you have any idea what could it be? I added the role assignments required and the managed ID exists. Thanks in advance! – Diego Satizabal Jun 30 '23 at 11:15
  • which action are you using ? are you using the v2 action ? – Thomas Jun 30 '23 at 20:48
  • and which role did you granted to the managed identity ? – Thomas Jun 30 '23 at 20:49
  • I've just tried with `Get entities (V2)` and it is working fine. – Thomas Jun 30 '23 at 20:54
0

For those having a similar issue, there are two things I missed:

  • One is to use a connection authenticated using the Managed Identity that must exist in the Logic App and have the appropriate role assignment
  • Another thing less obvious is that V2 components must be used to access table storage in the Logic App implementation

For what it's worth, if you already have a KeyVault connected to the VNET that is accessed by the Logic Apps the solution for this would be to add the list of Outgoing IP addresses to the firewall rules in the KeyVault's Networking menu as indicated here

Diego Satizabal
  • 119
  • 1
  • 7