Access azure storage account from pipeline agent in same region with access restrictions enabled

Kale, Vaibhav 41 Reputation points
2021-07-13T16:18:48.197+00:00

Hi,

I am using Azure Batch service to create Pool of VMs. This Azure Batch Pool is created with specified public IP addresses as per link

I have configured Azure Storage account in same region with selected network access, and am allowing the static public address in selected network. Still my Azure Batch pool VMs seem unable to access this storage account. I found another link https://video2.skills-academy.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-an-internet-ip-range which states that "Services deployed in the same region as the storage account use private Azure IP addresses for communication. Thus, you can't restrict access to specific Azure services based on their public outbound IP address range."

If I understand this correctly, Azure Storage accounts in different subscription/tenant but same region will not be able to use the static public Ip address of the Azure Batch Pool in the same region? This seems to be a big limitation for Azure Batch service trying to work with data from different Azure storage accounts. Can you please clarify?

Found a similar unanswered question https://stackoverflow.com/questions/65019375/access-azure-storage-account-from-pipeline-agent-in-same-region-with-access-rest

Thanks,
Vaibhav

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,149 questions
Azure Batch
Azure Batch
An Azure service that provides cloud-scale job scheduling and compute management.
330 questions
Accepted answer
  1. prmanhas-MSFT 17,901 Reputation points Microsoft Employee
    2021-07-16T12:12:25.68+00:00

    @Kale, Vaibhav Thank you for your patience over the matter!!!

    I had discussion internally and below is the response I got :

    The best approach is to have nodes join a VNet that has access to the storage account.
    As far as I know IP filtering doesn’t work from any Azure resources in the same region (or its pair region) due to the optimized networking that storage uses. This is a limitation of storage not Batch.

    You can share same as feedback as well here.

    Hope it helps!!!

    Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.