Share via

unable to access storage account with a private endpoint from standard logic apps using managed identity

Vilas Rao Perka 30 Reputation points Microsoft Employee
2024-06-13T03:15:07.93+00:00

unable to access storage account with a private endpoint from standard logic apps using managed identity

Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Answer accepted by question author
  1. KapilAnanth 49,846 Reputation points Moderator
    2024-06-14T11:01:17.13+00:00

    @Vilas Rao Perka ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    From your verbatim, I see

    • You have a Standard Logic Apps integrated into a VNET
    • You have created a PE of Storage Account in the same VNET
    • Using Managed Identity, you are able to connect to the Storage Account with Public Access
    • Your requirement is now to establish connectivity to the Storage Account via PE and Public Access disabled.
      • Which actually gives a 403 error.

    From my Analysis,

    • I don't think your requirement is supported.
    • Public Access working means there is no issue with Managed Identity.
    • However, I don't think the prebuilt connectors you use would be a part of the VNET
      • And as such, it will not make connections using the Private IP Address range of the VNET you have integrated the Logic Apps with
    • See : AzureConnectors and Service Tags
    • So, instead, you should use
      • "Enabled from selected virtual networks and IP addresses"
      • And allow the IPs from AzureConnectors.<YOURLOGICAPPSREGION>
    • You confirmed that using the last step, you were able to establish connectivity.

    P.S :

    Please let us know if we can be of any further assistance here.

    Thanks,

    Kapil

    Please Accept an answer if correct.

    Original posters help the community find answers faster by identifying the correct answer.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mark Nash 0 Reputation points
    2025-10-16T15:37:42.6133333+00:00

    We hit this scenario and found that the adding the AzureConnector IPs to the Storage account Firewall for our region allowed the required connectivity.

    The Microsoft IP ranges can be downloaded here:
    https://www.microsoft.com/en-us/download/details.aspx?id=56519

    Background

    We were limited on the region we had been allowed to use by a customer and so couldn't move the logic app or storage to another region.
    We needed to keep the storage locked down as it contained files we did not want publicly accessible.

    Our Storage account was set up with a private endpoint for Blob.
    The Standard logic app was integrated within the same VNet (seperate subnets) as the private endpoint.
    The Logic App was setup with a System managed Identity and Storage Blob Contributor permissions.

    Before adding the AzureConnector IPs we could connect to the storage when the storage firewall was open, and could not connect when it was locked down.

    Looking at the Audit logs we could see attempts were made by the System Managed Identity to Authenticate but these were failing and coming from a 10.x.x.x IP address which was not configured within our estate (This will be the backbone IP i imagine)

    Once we added the AzureConnector ranges for our region, the connections worked.
    (The Storage firewalls don't take /32 CIDRs, so for the /32 addresses just use the full IP, and for the /27 and /28 ranges put these in as CIDR format)

    Hope this helps !

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.