I want to connect from Azure App Service to Azure Storage Account, specifically Azure Blob Storage.
The App Service and Azure Storage Account have both been integrated with a Virtual Network, with the App Service in subnet 1 and the storage account in subnet 2. In the Networking setup for Storage, I also enabled 'Enabled from selected virtual networks and IP addresses' and specified the VNET and Subnet of the App Service, but it's not working. In the network security group, I have also allowed 'AllowAny' for the Virtual Network Service tag for both Inbound and Outbound. From what I understand, subnets within the same VNET should be able to connect to each other by default. However, when I try to upload a file from the App Service, I get an error indicating that it cannot connect to the Storage Account. Currently, I am using the Storage Account Access Key to connect, and I have ensured that I am using the latest Access Key. Please let me know if there are any network-related setups that I should check.By the way, If I remove the Virtual network from blob storage and select "Enabled from all networks" it works fine.
Appreciated for for all your assistance.
The connectivity doesn't work because your storage account is not connected to the virtual network (allowing access from a network doesn't mean the storage account is part of the network).
You have two options to connect to a storage account within a network.
Service Connections
You mentioned that your App Service is integrated with a virtual network, meaning its OUTBOUND traffic goes to the network first. I'd assume you delegated a subnet A to the App Service plan. In order to connect to the storage account, you must allow a Service Connection Microsoft.Storage
(see picture below) in Subnet A. This connection will route the VNet traffic to the Microsoft backbone and reach the target storage account.
Private Endpoints
Private endpoints can be thought of as a virtual network card with a static IP address attached to the target service, enabling INBOUND connectivity from the VNet to the service.
When you create a private endpoint resource for the storage account you must assign it a private IP address (static). The address must fall within the subnet IP range, which in your case would be subnet B. It differs from the delegated subnet A.
Also, private endpoint setup involves creating a DNS record to translate your connection string (and HTTP requests), which looks like https://<storage-account-name>.blob.core.windows.net/
, to a static IP address.
Private endpoints are a more advanced topic, so I recommend learning it more deeply. Service Endpoints are more straightforward, but are more secure, as you can completely isolate your target service from any access besides the VNet.