I have a Canvas PowerApp which needs to write a simple blob to an Azure Blob Storage Container. This works fine using the Azure Blob Storage Connector which is provided with the Storage Account name as well as the respective Access Key.
However, the Storage Account is configured to only allow access from a selected vNet (and IP address ranges). When I try to connect to the storage account from the PowerApp (which is outside said vNet) using the Blob Storage Connector, I get an error - which is expected.
This request is not authorized to perform this operation.
The vNet (or rather the subnet inside the vNet) is associated to an NSG.
How can I establish a secure connection to this "isolated" storage account? Preferably not by whitelisting the entire range of PowerApps IP addresses.
Did anyone encounter a similar problem and wants to share their solution?
Thank you very much for your time in advance!
There are two ways of doing this:
1. Azure API Management You can configure the API management instance to use a private endpoint and act as a proxy for your Blob Storage calls. Validation, and AuthN / AuthZ will be configured in APIM policies. You will then connect your PowerApp to the API Management instance using the custom connector.
2. Using an Azure Function as an intermediary layer As with APIM, Azure Function can use a private endpoint and proxy your calls. In this case, you could use Azure AD for authN and authZ. You will still need a custom connector, of course.