Firewall access from Azure app service to blob storage using Virtual Network

Question

Originally I tried to restrict access from an app service to blob storage using IP addresses, however it turned out that you can only do this using a Virtual Network: Firewall access from Azure app service to blob storage

I want to be able to achieve this without setting up a point-to-site VPN. The steps I have taken to set up a virtual network in Azure are as follows:

• Created Network security group "securitygroup-frontend", add custom inbound rule called Web with Source: Service Tag, Source service tag: Internet, Source port ranges: *, Destination : Any, Destination port ranges: 80, 443, Protocol: Any, Action: Allow, Priority: 100
• Created Virtual Network with address space 192.168.0.0/23 and subnet called frontend address range 192.168.0.0/26 with network security group: securitygroup-frontend and subnet delegation to Microsoft.Web/serverFarms and service endpoints Microsoft.Storage
• Went to app service -> Networking -> Configure VNet integration -> Add VNet preview and select the subnet you created
• Went to Storage -> Firewalls and virtual Networking -> Configure VNet integration -> Select 'Selected networks' and add in the virtual network and subnet just created.

I have had to move Azure diagnostics and logs such as for key vault, service bus and sql azure to its own blob storage as these require blob storage outside of a virtual network and can't be made to work inside. The app service is in the Standard plan. The app service, blob storage and virtual network are all in the same region.

This question and answer does not provide any insights: https://social.msdn.microsoft.com/Forums/azure/en-US/9f4d8aeb-68a6-4ec1-9e11-bee2d1301792/allow-access-to-azure-storage-account-only-from-an-app-service?forum=windowsazurewebsitespreview

The above steps though block off access from the app service to blob storage and any assets within return an error: (403) Forbidden. If I remove the Virtual network from blob storage it works fine. What am I doing wrong?

Answer 1

Yes, you can do this using a VNet but you need to deploy the web app in a VNet with App Service Environments. You can not do this with VNet integration. Integrating Azure services to an Azure virtual network enables private access to the service from virtual machines or compute resources in the virtual network. However, web app service in a regular app service plan is multi-tenant. With ASE, you could deploy it into your VNet.

You could get more details and explanation from this similar thread. According to a comment from silent, you could also consider deploying your web app inside a container which could be deployed in a VNet with some restriction.

Update

Sometimes, the deployment order for networking is important. In your case, you enable service endpoint before VNet integration. I suggest removing NSG restriction in integrated app subnet VNet for a test. Then you could check the following steps.

Firstly, you could deploy new VNet integration with an unused subnet. After the VNet Integration is completed and the web app is restarted, you could enable service endpoint and subnet delegation for this subnet. In the end, you could add the subnet in the firewall of the storage account.

The new version is in Preview and not GA currently. It might be not all functions available. you could also check the following characteristics.

• No gateway is required to use the new VNet Integration feature。
• You can access resources across ExpressRoute connections without any additional configuration beyond integrating with the ExpressRoute connected VNet.
• The app and the VNet must be in the same region.
• The new feature requires an unused subnet in your Resource Manager VNet.
• Your app must be in an Azure App Service deployment that is capable of scaling up to Premium v2.
• Your App Service plan must be a Standard, Premium, or PremiumV2 plan Production workloads are not supported on the new feature while it is in Preview
• The new VNet Integration feature doesn't work for apps in an App Service Environment.
• You cannot delete a VNet with an integrated app.
• Route tables and global peering are not yet available with the new VNet Integration.
• One address is used for each App Service plan instance. Since subnet size cannot be changed after assignment, use a subnet that can more than cover your maximum scale size. A /27 with 32 addresses is the recommended size as that would accommodate an App Service plan that is scaled to 20 instances.
• You can consume Service Endpoint secured resources using the new VNet Integration capability. To do so, enable service endpoints on the subnet used for VNet Integration.