App Service to Storage Account Connection in Azure Virtual Network
I want to connect from Azure App Service to Azure Storage Account, specifically Azure Blob Storage.
The App Service and Azure Storage Account have both been integrated with a Virtual Network, with the App Service in subnet 1 and the storage account in subnet 2. In the Networking setup for Storage, I also enabled 'Enabled from selected virtual networks and IP addresses' and specified the VNET and Subnet of the App Service, but it's not working. In the network security group, I have also allowed 'AllowAny' for the Virtual Network Service tag for both Inbound and Outbound. From what I understand, subnets within the same VNET should be able to connect to each other by default. However, when I try to upload a file from the App Service, I get an error indicating that it cannot connect to the Storage Account. Currently, I am using the Storage Account Access Key to connect, and I have ensured that I am using the latest Access Key. Please let me know if there are any network-related setups that I should check.By the way, If I remove the Virtual network from blob storage and select "Enabled from all networks" it works fine.
Appreciated for for all your assistance.
The connectivity doesn't work because your storage account is not connected to the virtual network (allowing access from a network doesn't mean the storage account is part of the network).
You have two options to connect to a storage account within a network.
- Service Connections
- Private Endpoints
Service Connections
You mentioned that your App Service is integrated with a virtual network, meaning its OUTBOUND traffic goes to the network first. I'd assume you delegated a subnet A to the App Service plan. In order to connect to the storage account, you must allow a Service Connection Microsoft.Storage (see picture below) in Subnet A. This connection will route the VNet traffic to the Microsoft backbone and reach the target storage account.
Private Endpoints
Private endpoints can be thought of as a virtual network card with a static IP address attached to the target service, enabling INBOUND connectivity from the VNet to the service.
When you create a private endpoint resource for the storage account you must assign it a private IP address (static). The address must fall within the subnet IP range, which in your case would be subnet B. It differs from the delegated subnet A.
Also, private endpoint setup involves creating a DNS record to translate your connection string (and HTTP requests), which looks like https://<storage-account-name>.blob.core.windows.net/, to a static IP address.
Private endpoints are a more advanced topic, so I recommend learning it more deeply. Service Endpoints are more straightforward, but are more secure, as you can completely isolate your target service from any access besides the VNet.
- Cannot add data to a ComplexField using Python SDK for Azure AI Search
- letsencrypt cert request failing for AKS ingress
- Playwright Test execution on Azure Windows machine fails in pipeline with error as No test found, It works perfectly with same command
- How to Combining PowerShell Output from multiple server to Single csv
- How can I find all Azure app registrations with API permissions to a specific app registration?
- Azure Deployment Groups vs Agent Pools
- I cannot extract .sql CREATE TABLEs for each table in my Azure SQL Database in my Azure Repo
- Can not read blobs through BlobContainerClient for blobs with empty folder prefixes
- Are task logs deleted when the node is deleted due to autoscaling in Azure Batch service?
- Azure Function Blob Storage Monitor
- I want to fetch Azure SQL table data from ADF to use as input in copy activity
- How to access code of my Azure website?
- Run JMeter script in AzureDevOps - Bearer Access Token generation
- Azure Function - HTTP trigger request length exceeded
- How and where to define an environment variable on Azure
- Stream Analytics doesn't output the data to SQL but does to a blob storage
- While Hierarchical namespace enabled cannot upload blob with metadata hdi_isfolder
- Cannot log in to Visual Studio Account in VS 2022
- SchemaColumnConvertNotSupportedException: column: [Col_Name], physicalType: INT64, logicalType: string
- create Azure Keyvault secret without exposing values
- Can you create 'User Flows' in Azure with a pay-as-you-go account
- Deploy ARM template at management group scope with Azure DevOps Pipeline
- How to make an azure function that deploys my bicep script from Azure Storage Account
- Basic SQL commands in Terraform
- Can we Deploy Web Application in Azure OpenAI of Production Level
- Get-MgGroupMember by display name instead of userID
- Azure DevOps REST API parent relation link to existing work item error
- What should be put to 'repoOwners' in Managed Identity Federated Credentials policy?
- How to get list of users from CSV file whose LastSignInDate column has a date that is before 90 days from current date or is empty?
- Langchain cannot connect with Azure SQL Database