Unable to access Azure Blob storage from Azure app service

Debashis Jena 71

Hi,

We have an Azure app service which is present inside App gateway. While we're trying to download a file which is present inside Azure blob storage from app service, WAF is giving 403 forbidden error.

Please suggest how will we be able to access Azure blob storage from app service.

Tushar Kumar 3,326 Reputation points MVP

2023-09-28T11:09:02.1933333+00:00

Do you have your WAF configured in prevention mode ?
Debashis Jena 71 Reputation points

2023-09-28T13:16:05.2566667+00:00

Yes, it is in prevention mode

1 answer

brtrach-MSFT 16,346 Reputation points Microsoft Employee

2023-10-03T23:51:22.7366667+00:00

@Debashis Jena To allow your Azure App Service to access Azure Blob Storage, you need to enable a firewall exception on the VNet to allow connections from trusted Azure services.

To configure the exception in the Azure portal for Azure Blob Storage, navigate to Networking > Firewalls and virtual networks. Then select Allow Azure services on the trusted services list to access this storage account.

Also, make sure that your WAF is configured to allow traffic to and from Azure Blob Storage. You can deploy Azure Web Application Firewall (WAF) in front of public-facing web applications for additional inspection of incoming traffic. WAF provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.
Please sign in to rate this answer.
Debashis Jena 71 Reputation points

2023-10-04T09:19:26.58+00:00

Hi Brtrach,

Thanks for your response.

We have already configured "Allow Azure services on the trusted services list to access this storage account" in Blob storage networking configuration.

Can you please explain how to configure WAF to allow traffic to and from Azure Blob Storage?

brtrach-MSFT 16,346 Reputation points Microsoft Employee

2023-10-11T00:03:34.0833333+00:00

@Debashis Jena To configure WAF to allow traffic to and from Azure Blob Storage, you need to create a custom rule in the Azure Web Application Firewall (WAF) that allows traffic to and from the IP address range of Azure Blob Storage.

Here are the steps to create a custom rule in WAF:

In the Azure portal, navigate to your WAF instance and select Rules under the Web application firewall section.

Click on the Add button to create a new rule.

In the Add rule blade, enter a name for the rule and select Custom rule as the rule type.

In the Custom rule blade, enter the following details:

Rule name: Enter a name for the rule.

Priority: Enter a priority for the rule.

Match type: Select IP address.

Match value: Enter the IP address range of Azure Blob Storage. You can find the IP address range in the Azure documentation.

Click on the Add button to create the rule.

Once the rule is created, you need to associate it with the WAF policy that is applied to your Azure App Service.

In the Azure portal, navigate to your WAF policy and select Rules under the Web application firewall section.

Click on the Add button to add the custom rule to the policy.

In the Add rule blade, select the custom rule that you created earlier and click on the Add button.

Once the rule is added to the policy, it will be applied to your Azure App Service and traffic to and from Azure Blob Storage will be allowed.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Unable to access Azure Blob storage from Azure app service

1 answer

Your answer