When using Azure App Service to host web applications, it is common to mount file shares or blob storage hosted in an Azure Storage Account, a configuration also known as "Bring Your Own Storage (BYOS)". While the setup process is seamless, troubleshooting mount issues can be challenging due to different authentication, networking and other configuration aspects.
Whether you are encountering errors during the application startup, or viewing any permission denied messages, this guide will help you by going through a step-by-step checklist, to validate the underlying dependencies and settings required for a successful mount:
- On Azure portal, open the Web App Configuration menu and select the Path Mappings tab. Confirm that the external storage is not being mounted to the unsupported filesystem paths /home, /tmp or /
- If you have selected the Advanced configuration option for the mount, ensure that the Storage Account and the File Share name are not misspelled, the correct protocol is selected, and the Access Key is matching one of the Storage Account keys:
- When using an SMB file share, ensure that the Security Profile is set to Maximum compatibility:
If your Web App is not integrated with any Virtual Network, and the Storage Account has public network access enabled, the above verifications should be sufficient to ensure that the mount is successfully configured.
However, if your Web App is integrated with a Virtual Network, or the Storage Account needs to be accessed through a Private Endpoint or Service Endpoint, you may face additional setbacks related to networking restrictions. The following steps will help validating what might be preventing the configuration from working as expected:
- Confirm that outbound traffic targeting the Storage Account is allowed on the Network Security Group (NSG) assigned to the Web App subnet. Azure Files require access through port 445, and Azure Blobs require access through port 443. The following screenshot demonstrates sample NSG outbound rules whitelisting both ports:
- If the subnet is routing traffic through a Network Virtual Appliance (NVA) through a user-defined route, ensure that the connections with the Storage Account are whitelisted on the filtering network device. To determine if the NVA is blocking access, you may temporarily add a new route to bypass the device for connections targeting Azure Storage:
- If the Storage Account is allowing connections from selected Virtual Networks, confirm that the Web App Virtual Network and its subnet are whitelisted under the Storage Account Networking menu, as seen below:
- The external storage may also fail to be mounted due to DNS resolution failures. We may confirm if DNS resolution from the Web app to Storage Account is successful by using the Network Troubleshooter detector:
The Network Troubleshooter will also inform you if the Web App is using a custom DNS server, or Azure-provided DNS:
- If using the default Azure DNS Server and a Private Endpoint for the Storage Account:
- Confirm if the Web App Virtual Network has a Private DNS Zone assigned, with the entry privatelink.file.core.windows.net (for Azure Files) or privatelink.blob.core.windows.net (for Azure Blob Storage)
- Confirm if the above entries contain recordsets pointing to the IP of the Storage Account Private Endpoint IP - If using a custom DNS Server and a Private Endpoint for the Storage Account: ensure that your custom DNS server has an entry to resolve the Storage Account domain using the IP address provided by the Private Endpoint NIC
By verifying the steps above, you can resolve most issues related to Storage Account mounts in Azure App Service. While the root cause may vary, following a structured troubleshooting approach greatly improves the chances of identifying the problem quickly.
If you have worked through these steps and your configuration is still not working as expected, do not hesitate to get in touch with Microsoft Support, we will be more than happy to help you get it sorted.
For additional documentation regarding the resources, we recommend revising the following pages:
Microsoft