stackoom
  简体   繁体   中英

Accessing Azure Storage Account using private endpoints and Vnet Integration from an Azure Function (app )

 原文  2022-06-16 19:38:08       azure/ azure-blob-storage/ azure-app-service-plans/ vnet

Question

Ok this is to save someone else 4 days of work.

Trying to use VNet integration to connect an Azure Function in the North Central US region to a storage account in the US West region. The storage account in the US West region has the firewall enabled. The only reason I am posting this is our staff normally sets this up for virtual machines which have an IP address that can be added into the storage account firewall and not app service plans.

1 answers

solution1
 0  2022-06-16 19:38:08

If you want to secure your azure storage behind a private endpoint and you want a service plan (IE Azure Function or Web App) to access said storage account.

When the storage account firewall is disabled. An App service in the same Vnet containing the storage account endpoints (within a subnet for the app service) works. So to further clarify. You would have a Vnet with the default subnet, a storage subnet, and a app subnet. The storage account firewall is off. Then the web app can access the endpoints that you setup in the storage subnet.

When the storage account firewall is enabled.

  • If you intend to use Vnet peering (very easy). The VNets need to be in the same region (IE US East) or within a region pair like (US East/US West)
  • You must setup Vnet peering.
  • You must add the subnet used by the app service into the storage account firewall.

Also a subnet that is not within the same region or a region pair will not show up in the storage account firewall for you to add it.

There is the option to try a preview feature AllowGlobaltagsForStorage but I cannot use that within a production environment.

So to clarify this:

  • You have Vnet useastvnet with subnets default , storage
  • Your storage account has private endpoints into the storage subnet
  • The storage account firewall is enabled.
  • You have another Vnet uswestvnet with subnets default , apps
  • You have useastvnet peered with uswestvnet
  • You have the subnet apps added into the storage account firewall.
  • You have your web app or Azure Function using vnet integration into the app subnet

With this setup you can simply use the storage account connect string and everything should work as long as you have the endpoints setup that you need.

So my fix was to move my setup to the US West region.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question VNET Integration for Azure function using Consumption plan Accessing a private storage account from Azure Devops Hosted Agents App Service VNet Integration with Azure Storage Service Endpoint Sending JSON to privateEndpoint azure with azure function app VNET integration VNET Integration for App Services on Azure? Azure VNET - Accessing VNET Resources from WebApp Using existing VNET with Azure Function APP Connect Azure Data Factory with Private Endpoint to Storage Account with another Private Endpoint in the same VNet Access Azure storage account from Azure Function App Accessing Azure storage account from console app on OSX (Mac)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM